Remove an invalid assertion in DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareN...
[WebKit-https.git] / JSTests / ChangeLog
1 2019-03-21  Mark Lam  <mark.lam@apple.com>
2
3         Remove an invalid assertion in DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined().
4         https://bugs.webkit.org/show_bug.cgi?id=196116
5         <rdar://problem/48976951>
6
7         Reviewed by Filip Pizlo.
8
9         * stress/dfg-compare-eq-via-nonSpeculativeNonPeepholeCompareNullOrUndefined.js: Added.
10
11 2019-03-21  Tadeu Zagallo  <tzagallo@apple.com>
12
13         JSObject::putDirectIndexSlowOrBeyondVectorLength should check if indexIsSufficientlyBeyondLengthForSparseMap
14         https://bugs.webkit.org/show_bug.cgi?id=196078
15         <rdar://problem/35925380>
16
17         Reviewed by Mark Lam.
18
19         Add a new benchmark that allocates several objects and invokes put_by_val_direct
20         with a large index. run-jsc-benchmarks says "definitely 1.6178x faster".
21
22         * microbenchmarks/put-by-val-direct-large-index.js: Added.
23
24 2019-03-21  Mark Lam  <mark.lam@apple.com>
25
26         Placate exception check validation in operationArrayIndexOfString().
27         https://bugs.webkit.org/show_bug.cgi?id=196067
28         <rdar://problem/49056572>
29
30         Reviewed by Michael Saboff.
31
32         * stress/string-equal-exception-check.js: Added.
33
34 2019-03-21  Mark Lam  <mark.lam@apple.com>
35
36         Cap length of an array with spread to MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.
37         https://bugs.webkit.org/show_bug.cgi?id=196055
38         <rdar://problem/49067448>
39
40         Reviewed by Yusuke Suzuki.
41
42         * stress/new_array_with_spread-should-cap-array-size-to-MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.js: Added.
43
44 2019-03-20  Saam Barati  <sbarati@apple.com>
45
46         typeOfDoubleSum is wrong for when NaN can be produced
47         https://bugs.webkit.org/show_bug.cgi?id=196030
48
49         Reviewed by Filip Pizlo.
50
51         * stress/double-add-sub-mul-can-produce-nan.js: Added.
52         (assert):
53         (noInline.sub):
54         (noInline):
55         (assert.mul):
56         (assert.add):
57
58 2019-03-20  Yusuke Suzuki  <ysuzuki@apple.com>
59
60         Update the test to ensure OutOfMemoryError is thrown as intended
61         https://bugs.webkit.org/show_bug.cgi?id=196032
62         <rdar://problem/46842740>
63
64         Rubber stamped by Saam Barati.
65
66         * stress/create-error-out-of-memory-rope-string.js:
67         (assert):
68         (catch):
69
70 2019-03-20  Tadeu Zagallo  <tzagallo@apple.com>
71
72         JSC::createError needs to check for OOM in errorDescriptionForValue
73         https://bugs.webkit.org/show_bug.cgi?id=196032
74         <rdar://problem/46842740>
75
76         Reviewed by Mark Lam.
77
78         * stress/create-error-out-of-memory-rope-string.js: Added.
79
80 2019-03-19  Yusuke Suzuki  <ysuzuki@apple.com>
81
82         Unreviewed, reduce # of iterations to avoid timing out after r242991
83         https://bugs.webkit.org/show_bug.cgi?id=195791
84
85         To avoid timing out, this patch reduces it from 3e7 to 1e7. 1e7 iteration counts still reproduce the issue at 60%.
86
87         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
88
89 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
90
91         [JSC] microbenchmarks/generate-multiple-llint-entrypoints.js is running out of executable memory on ARMv7
92         https://bugs.webkit.org/show_bug.cgi?id=195950
93
94         Unreviewed, reducing the amount of memory used on this test to avoid
95         OOM on devices with memory restrictions.
96
97         * microbenchmarks/generate-multiple-llint-entrypoints.js:
98
99 2019-03-19  Caio Lima  <ticaiolima@gmail.com>
100
101         [JSC] LLIntEntryPoint creates same DirectJITCode for all functions
102         https://bugs.webkit.org/show_bug.cgi?id=194648
103
104         Reviewed by Keith Miller.
105
106         * microbenchmarks/generate-multiple-llint-entrypoints.js: Added.
107
108 2019-03-18  Mark Lam  <mark.lam@apple.com>
109
110         Missing a ThrowScope release in JSObject::toString().
111         https://bugs.webkit.org/show_bug.cgi?id=195893
112         <rdar://problem/48970986>
113
114         Reviewed by Michael Saboff.
115
116         * stress/to-string-exception-check-release.js: Added.
117
118 2019-03-18  Mark Lam  <mark.lam@apple.com>
119
120         Structure::flattenDictionary() should clear unused property slots.
121         https://bugs.webkit.org/show_bug.cgi?id=195871
122         <rdar://problem/48959497>
123
124         Reviewed by Michael Saboff.
125
126         * stress/structure-flattenDictionary-should-clear-unused-property-slots.js: Added.
127
128 2019-03-15  Mark Lam  <mark.lam@apple.com>
129
130         Need to check ObjectPropertyCondition liveness before accessing it when firing watchpoints.
131         https://bugs.webkit.org/show_bug.cgi?id=195827
132         <rdar://problem/48845513>
133
134         Reviewed by Filip Pizlo.
135
136         * stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Added.
137
138 2019-03-15  Dominik Infuehr  <dinfuehr@igalia.com>
139
140         [ARM,MIPS] Skip slow tests
141         https://bugs.webkit.org/show_bug.cgi?id=195799
142
143         Unreviewed, test does not finish on ARM and MIPS within the
144         timeout limit.
145
146         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js:
147
148 2019-03-14  Yusuke Suzuki  <ysuzuki@apple.com>
149
150         [JSC] Retain PrivateName of Symbol before passing it to operations potentially incurring GC
151         https://bugs.webkit.org/show_bug.cgi?id=195791
152         <rdar://problem/48806130>
153
154         Reviewed by Mark Lam.
155
156         * stress/symbol-is-destructed-before-refing-underlying-symbol-impl.js: Added.
157         (foo):
158
159 2019-03-14  Saam barati  <sbarati@apple.com>
160
161         We can't remove code after ForceOSRExit until after FixupPhase
162         https://bugs.webkit.org/show_bug.cgi?id=186916
163         <rdar://problem/41396612>
164
165         Reviewed by Yusuke Suzuki.
166
167         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Added.
168         (foo):
169         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
170         (foo):
171
172 2019-03-13  Michael Saboff  <msaboff@apple.com>
173
174         ASSERTION FAILED: regexp->isValid() or ASSERTION FAILED: !isCompilationThread()
175         https://bugs.webkit.org/show_bug.cgi?id=195735
176
177         Reviewed by Mark Lam.
178
179         New regression test.
180
181         * stress/dont-strength-reduce-regexp-with-compile-error.js: Added.
182         (foo):
183         (bar):
184
185 2019-03-14  Saam barati  <sbarati@apple.com>
186
187         Fixup uses KnownInt32 incorrectly in some nodes
188         https://bugs.webkit.org/show_bug.cgi?id=195279
189         <rdar://problem/47915654>
190
191         Reviewed by Yusuke Suzuki.
192
193         * stress/known-int32-cant-be-used-across-bytecode-boundary.js: Added.
194         (foo):
195
196 2019-03-14  Keith Miller  <keith_miller@apple.com>
197
198         DFG liveness can't skip tail caller inline frames
199         https://bugs.webkit.org/show_bug.cgi?id=195715
200
201         Reviewed by Saam Barati.
202
203         * stress/dfg-scan-inlined-tail-caller-frames-liveness.js:
204         (i.foo):
205
206 2019-03-13  Mark Lam  <mark.lam@apple.com>
207
208         Gardening: reducing the variants on 2 tests to avoid timing out on JSC Debug queue.
209         https://bugs.webkit.org/show_bug.cgi?id=195415
210
211         Not reviewed.
212
213         Changed these tests to only run the default configuration.
214         The ftl-no-cjit-validate-sampling-profiler variant was timing out.
215         There's no strong need to run this test on that variant.
216
217         * stress/dfg-to-string-on-int-does-gc.js:
218         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js:
219
220 2019-03-13  Dominik Infuehr  <dinfuehr@igalia.com>
221
222         String overflow when using StringBuilder in JSC::createError
223         https://bugs.webkit.org/show_bug.cgi?id=194957
224
225         Reviewed by Mark Lam.
226
227         Add test string-overflow-createError-bulder.js that overflows
228         StringBuilder in notAFunctionSourceAppender. The second new test
229         string-overflow-createError-fit.js has an error message that doesn't
230         overflow, it still failed since the String's capacity can't be doubled.
231         Run test string-overflow-createError.js only in the default
232         configuration to reduce memory consumption when running the test
233         in all configurations on multiple CPUs in parallel.
234
235         * stress/string-overflow-createError-builder.js: Copied from JSTests/stress/string-overflow-createError.js.
236         (catch):
237         * stress/string-overflow-createError-fit.js: Copied from JSTests/stress/string-overflow-createError.js.
238         (catch):
239         * stress/string-overflow-createError.js:
240
241 2019-03-12  Yusuke Suzuki  <ysuzuki@apple.com>
242
243         [JSC] OSR entry should respect abstract values in addition to flush formats
244         https://bugs.webkit.org/show_bug.cgi?id=195653
245
246         Reviewed by Mark Lam.
247
248         * stress/osr-entry-locals-none.js: Added.
249
250 2019-03-12  Michael Saboff  <msaboff@apple.com>
251
252         REGRESSION (iOS 12.2): Webpage using CoffeeScript crashes
253         https://bugs.webkit.org/show_bug.cgi?id=195613
254
255         Reviewed by Mark Lam.
256
257         New regression test.
258
259         * stress/regexp-backref-inbounds.js: Added.
260         (testRegExp):
261
262 2019-03-12  Mark Lam  <mark.lam@apple.com>
263
264         The HasIndexedProperty node does GC.
265         https://bugs.webkit.org/show_bug.cgi?id=195559
266         <rdar://problem/48767923>
267
268         Reviewed by Yusuke Suzuki.
269
270         * stress/HasIndexedProperty-does-gc.js: Added.
271
272 2019-03-11  Caio Lima  <ticaiolima@gmail.com>
273
274         [ESNext][BigInt] Implement "~" unary operation
275         https://bugs.webkit.org/show_bug.cgi?id=182216
276
277         Reviewed by Keith Miller.
278
279         * stress/big-int-bit-not-general.js: Added.
280         * stress/big-int-bitwise-not-jit.js: Added.
281         * stress/big-int-bitwise-not-wrapped-value.js: Added.
282         * stress/bit-op-with-object-returning-int32.js:
283         * stress/bitwise-not-fixup-rules.js: Added.
284         * stress/value-bit-not-ai-rule.js: Added.
285
286 2019-03-10  Ross Kirsling  <ross.kirsling@sony.com>
287
288         Invalid flags in a RegExp literal should be an early SyntaxError
289         https://bugs.webkit.org/show_bug.cgi?id=195514
290
291         Reviewed by Darin Adler.
292
293         * test262/expectations.yaml:
294         Mark 4 test cases as passing.
295
296         * stress/regexp-syntax-error-invalid-flags.js:
297         * stress/regress-161995.js: Removed.
298         Update existing test, merging in an older test for the same behavior.
299
300 2019-03-08  Mark Lam  <mark.lam@apple.com>
301
302         Stack overflow crash in JSC::JSObject::hasInstance.
303         https://bugs.webkit.org/show_bug.cgi?id=195458
304         <rdar://problem/48710195>
305
306         Reviewed by Yusuke Suzuki.
307
308         * stress/stack-overflow-in-custom-hasInstance.js: Added.
309
310 2019-03-08  Tadeu Zagallo  <tzagallo@apple.com>
311
312         op_check_tdz does not def its argument
313         https://bugs.webkit.org/show_bug.cgi?id=192880
314         <rdar://problem/46221598>
315
316         Reviewed by Saam Barati.
317
318         * microbenchmarks/let-for-in.js: Added.
319         (foo):
320
321 2019-03-07  Yusuke Suzuki  <ysuzuki@apple.com>
322
323         [JSC] StringFromCharCode fast path should accept 0xff in DFG and FTL
324         https://bugs.webkit.org/show_bug.cgi?id=195429
325
326         Reviewed by Saam Barati.
327
328         * stress/must-handled-values-should-not-be-used-as-proven-constants-in-cfa.js: Added.
329         (foo):
330         * stress/string-from-char-code-255.js: Added.
331
332 2019-03-06  Mark Lam  <mark.lam@apple.com>
333
334         Fix incorrect handling of try-finally completion values.
335         https://bugs.webkit.org/show_bug.cgi?id=195131
336         <rdar://problem/46222079>
337
338         Reviewed by Saam Barati and Yusuke Suzuki.
339
340         Added many permutations of new test case to test-finally.js.  test-finally.js has
341         been run on Chrome and Firefox as a sanity check, and we confirmed that all the
342         tests passes there as well.
343
344         * stress/test-finally.js:
345
346 2019-03-06  Saam Barati  <sbarati@apple.com>
347
348         Air::reportUsedRegisters must padInterference
349         https://bugs.webkit.org/show_bug.cgi?id=195303
350         <rdar://problem/48270343>
351
352         Reviewed by Keith Miller.
353
354         * stress/optional-def-arg-width-should-be-both-early-and-late-use.js: Added.
355
356 2019-03-06  Yusuke Suzuki  <ysuzuki@apple.com>
357
358         [JSC] AI should not propagate AbstractValue relying on constant folding phase
359         https://bugs.webkit.org/show_bug.cgi?id=195375
360
361         Reviewed by Saam Barati.
362
363         * stress/make-rope-should-not-propagate-constant-folded-value-in-ai.js: Added.
364         (let.array):
365
366 2019-03-05  Saam barati  <sbarati@apple.com>
367
368         op_switch_char broken for rope strings after JSRopeString layout rewrite
369         https://bugs.webkit.org/show_bug.cgi?id=195339
370         <rdar://problem/48592545>
371
372         Reviewed by Yusuke Suzuki.
373
374         * stress/switch-on-char-llint-rope.js: Added.
375
376 2019-03-04  Yusuke Suzuki  <ysuzuki@apple.com>
377
378         [JSC] Store bits for JSRopeString in 3 stores
379         https://bugs.webkit.org/show_bug.cgi?id=195234
380
381         Reviewed by Saam Barati.
382
383         * stress/null-rope-and-collectors.js: Added.
384
385 2019-03-01  Dominik Infuehr  <dinfuehr@igalia.com>
386
387         Unskip test read-dead-bytecode-locals-in-must-have-handle-values2.js on ARM/MIPS
388         https://bugs.webkit.org/show_bug.cgi?id=195207
389
390         Unreviewed. After test runtime was reduced in r242213, test can be
391         run again on ARM/MIPS.
392
393         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
394
395 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
396
397         [JSC] sizeof(JSString) should be 16
398         https://bugs.webkit.org/show_bug.cgi?id=194375
399
400         Reviewed by Saam Barati.
401
402         * microbenchmarks/make-rope.js: Added.
403         (makeRope):
404         * stress/to-lower-case-intrinsic-on-empty-rope.js: We no longer allow 0 length JSString except for jsEmptyString singleton per VM.
405         (returnRope.helper): Deleted.
406         (returnRope): Deleted.
407
408 2019-02-28  Yusuke Suzuki  <ysuzuki@apple.com>
409
410         Unreviewed, reduce the count in the stress/read-dead-bytecode-locals-in-must-handle-values2.js
411         https://bugs.webkit.org/show_bug.cgi?id=195144
412
413         1e8 takes too much time in the Debug build. I tried 1e5 with the old Debug build and it successfully reproduced the issue.
414         Change the number from 1e8 to 1e5.
415
416         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
417         (foo):
418
419 2019-02-28  Dominik Infuehr  <dinfuehr@igalia.com>
420
421         Test times out on ARM/MIPS
422         https://bugs.webkit.org/show_bug.cgi?id=195168
423
424         Unreviewed. Skip test on ARM/MIPS.
425
426         * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
427
428 2019-02-27  Mark Lam  <mark.lam@apple.com>
429
430         The parser is failing to record the token location of new in new.target.
431         https://bugs.webkit.org/show_bug.cgi?id=195127
432         <rdar://problem/39645578>
433
434         Reviewed by Yusuke Suzuki.
435
436         * stress/parser-should-record-token-location-of-new-dot-target.js: Added.
437
438 2019-02-27  Yusuke Suzuki  <ysuzuki@apple.com>
439
440         [JSC] mustHandleValues for dead bytecode locals should be ignored in DFG phases
441         https://bugs.webkit.org/show_bug.cgi?id=195144
442         <rdar://problem/47595961>
443
444         Reviewed by Mark Lam.
445
446         * stress/read-dead-bytecode-locals-in-must-handle-values1.js: Added.
447         (bar):
448         (foo):
449         * stress/read-dead-bytecode-locals-in-must-handle-values2.js: Added.
450         (bar):
451         (foo):
452
453 2019-02-27  Robin Morisset  <rmorisset@apple.com>
454
455         DFG: Loop-invariant code motion (LICM) should not hoist dead code
456         https://bugs.webkit.org/show_bug.cgi?id=194945
457         <rdar://problem/48311657>
458
459         Reviewed by Mark Lam.
460
461         * stress/licm-dead-code.js: Added.
462
463 2019-02-26  Yusuke Suzuki  <ysuzuki@apple.com>
464
465         REGRESSION: stress/regress-178386.js is timing out on JSC debug bot
466         https://bugs.webkit.org/show_bug.cgi?id=194677
467         <rdar://problem/48112492>
468
469         Reviewed by Mark Lam.
470
471         Before r241233, String.fromCharCode (except for an empty string) always returns 16bit string.
472         This makes the rope generated by padEnd 16bit. When we resolve the rope inside JSON.stringify,
473         it immediately fails due the large size.
474
475         After r241233, String.fromCharCode starts returning 8bit string if possible. So the rope becomes
476         8bit, and we successfully resolve the rope in this case. Resolving such a large rope takes long
477         time and that is why stress/regress-178386.js starts timing out. Note that, the test fails with
478         OOM error anyway because JSON.stringify's builder overflows with such a large string input.
479
480         This patch changes the test to produce 16bit string from String.fromCharCode.
481
482         * stress/regress-178386.js:
483
484 2019-02-26  Mark Lam  <mark.lam@apple.com>
485
486         wasmToJS() should purify incoming NaNs.
487         https://bugs.webkit.org/show_bug.cgi?id=194807
488         <rdar://problem/48189132>
489
490         Reviewed by Saam Barati.
491
492         * wasm/regress/wasmToJS-should-purify-NaNs.js: Added.
493
494 2019-02-26  Guillaume Emont  <guijemont@igalia.com>
495
496         [JSC] Repeat string created from Array.prototype.join() take too much memory
497         https://bugs.webkit.org/show_bug.cgi?id=193912
498
499         Reviewed by Saam Barati.
500
501         Added a test and a microbenchmark for corner cases of
502         Array.prototype.join() with an uninitialized array.
503
504         * microbenchmarks/array-prototype-join-uninitialized.js: Added.
505         * stress/array-prototype-join-uninitialized.js: Added.
506         (testArray):
507         (testABC):
508         (B):
509         (C):
510
511 2019-02-22  Robin Morisset  <rmorisset@apple.com>
512
513         DFGBytecodeParser should not declare that a node won't clobberExit if DFGFixupPhase can later declare it does clobberExit
514         https://bugs.webkit.org/show_bug.cgi?id=194953
515         <rdar://problem/47595253>
516
517         Reviewed by Saam Barati.
518
519         I could not make this work without the infinite loop, so I am using a watchdog to be able to use it as a regression test.
520
521         * stress/has-indexed-property-with-worsening-array-mode.js: Added.
522
523 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
524
525         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
526         https://bugs.webkit.org/show_bug.cgi?id=172848
527         <rdar://problem/25709212>
528
529         Reviewed by Mark Lam.
530
531         * typeProfiler/inheritance.js:
532         Rewrite the test slightly for clarity. The hoisting was confusing.
533
534         * heapProfiler/class-names.js: Added.
535         (MyES5Class):
536         (MyES6Class):
537         (MyES6Subclass):
538         Test object types and improved class names.
539
540         * heapProfiler/driver/driver.js:
541         (CheapHeapSnapshotNode):
542         (CheapHeapSnapshot):
543         (createCheapHeapSnapshot):
544         (HeapSnapshot):
545         (createHeapSnapshot):
546         Update snapshot parsing from version 1 to version 2.
547
548 2019-02-19  Truitt Savell  <tsavell@apple.com>
549
550         Unreviewed, rolling out r241784.
551
552         Broke all OpenSource builds.
553
554         Reverted changeset:
555
556         "Web Inspector: Improve ES6 Class instances in Heap Snapshot
557         instances view"
558         https://bugs.webkit.org/show_bug.cgi?id=172848
559         https://trac.webkit.org/changeset/241784
560
561 2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>
562
563         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
564         https://bugs.webkit.org/show_bug.cgi?id=172848
565         <rdar://problem/25709212>
566
567         Reviewed by Mark Lam.
568
569         * typeProfiler/inheritance.js:
570         Rewrite the test slightly for clarity. The hoisting was confusing.
571
572         * heapProfiler/class-names.js: Added.
573         (MyES5Class):
574         (MyES6Class):
575         (MyES6Subclass):
576         Test object types and improved class names.
577
578         * heapProfiler/driver/driver.js:
579         (CheapHeapSnapshotNode):
580         (CheapHeapSnapshot):
581         (createCheapHeapSnapshot):
582         (HeapSnapshot):
583         (createHeapSnapshot):
584         Update snapshot parsing from version 1 to version 2.
585
586 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
587
588         [ARM] Fix crash with sampling profiler
589         https://bugs.webkit.org/show_bug.cgi?id=194772
590
591         Reviewed by Mark Lam.
592
593         Do not skip test since crash with sampling profiler is now fixed.
594
595         * stress/sampling-profiler-richards.js:
596
597 2019-02-18  Yusuke Suzuki  <ysuzuki@apple.com>
598
599         [JSC] Add LazyClassStructure::getInitializedOnMainThread
600         https://bugs.webkit.org/show_bug.cgi?id=194784
601         <rdar://problem/48154820>
602
603         Reviewed by Mark Lam.
604
605         * stress/lazy-initialization-done-a-priori-if-jit-enabled.js: Added.
606         (getProperties):
607         (getRandomProperty):
608         (i.catch):
609
610 2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>
611
612         [ARM] Test gardening: Test running out of executable memory
613         https://bugs.webkit.org/show_bug.cgi?id=194771
614
615         Unreviewed. Do not run test without LLInt, test is running out of executable
616         memory on ARM otherwise.
617
618         * stress/tagged-template-object-collect.js:
619
620 2019-02-18  Tomas Popela  <tpopela@redhat.com>
621
622         Unreviewed, skip the test on platforms without sampling profiler
623
624         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js:
625         (platformSupportsSamplingProfiler.foo):
626         (platformSupportsSamplingProfiler.test):
627         (platformSupportsSamplingProfiler):
628         (foo): Deleted.
629         (test): Deleted.
630
631 2019-02-17  Saam Barati  <sbarati@apple.com>
632
633         Deadlock when adding a Structure property transition and then doing incremental marking
634         https://bugs.webkit.org/show_bug.cgi?id=194767
635
636         Reviewed by Mark Lam.
637
638         * stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js: Added.
639
640 2019-02-15  Michael Saboff  <msaboff@apple.com>
641
642         RELEASE_ASSERT at com.apple.JavaScriptCore: JSC::jsSubstringOfResolved
643         https://bugs.webkit.org/show_bug.cgi?id=194558
644
645         Reviewed by Saam Barati.
646
647         New regression test.
648
649         * stress/regexp-unicode-within-string.js: Added.
650
651 2019-02-15  Mark Lam  <mark.lam@apple.com>
652
653         SamplingProfiler::stackTracesAsJSON() should escape strings.
654         https://bugs.webkit.org/show_bug.cgi?id=194649
655         <rdar://problem/48072386>
656
657         Reviewed by Saam Barati.
658
659         * stress/sampling-profiler-stack-trace-with-double-quote-in-function-name.js: Added.
660         * stress/type-profiler-with-double-quote-in-constructor-name.js: Added.
661         * stress/type-profiler-with-double-quote-in-field-name.js: Added.
662         * stress/type-profiler-with-double-quote-in-optional-field-name.js: Added.
663
664 2019-02-15  Robin Morisset  <rmorisset@apple.com>
665         CodeBlock::jettison should clear related watchpoints
666         https://bugs.webkit.org/show_bug.cgi?id=194544
667
668         Reviewed by Mark Lam.
669
670         * stress/regexp-replace-double-watchpoint.js: Added.
671         (foo):
672
673 2019-02-15  Saam barati  <sbarati@apple.com>
674
675         [WebAssembly] Write a new register allocator for Air O0 and make BBQ use it
676         https://bugs.webkit.org/show_bug.cgi?id=194036
677
678         Reviewed by Yusuke Suzuki.
679
680         * stress/tail-call-many-arguments.js: Added.
681         (foo):
682         (bar):
683
684 2019-02-14  Saam Barati  <sbarati@apple.com>
685
686         Cache the results of BytecodeGenerator::getVariablesUnderTDZ
687         https://bugs.webkit.org/show_bug.cgi?id=194583
688         <rdar://problem/48028140>
689
690         Reviewed by Yusuke Suzuki.
691
692         * microbenchmarks/cache-get-variables-under-tdz-in-bytecode-generator.js: Added.
693
694 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
695
696         [JSC] String.fromCharCode's slow path always generates 16bit string
697         https://bugs.webkit.org/show_bug.cgi?id=194466
698
699         Reviewed by Keith Miller.
700
701         * stress/string-from-char-code-slow-path.js: Added.
702         (shouldBe):
703         (testWithLength):
704
705 2019-02-08  Saam barati  <sbarati@apple.com>
706
707         Nodes that rely on being dominated by CheckInBounds should have a child edge to it
708         https://bugs.webkit.org/show_bug.cgi?id=194334
709         <rdar://problem/47844327>
710
711         Reviewed by Mark Lam.
712
713         * stress/check-in-bounds-should-be-a-child-use.js: Added.
714         (func):
715
716 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
717
718         [JSC] InitializeEntrypointArguments should produce SpecCellCheck if FlushFormat is FlushedCell
719         https://bugs.webkit.org/show_bug.cgi?id=194369
720         <rdar://problem/47813087>
721
722         Reviewed by Saam Barati.
723
724         * stress/initialize-entrypoint-arguments-with-tdz.js: Added.
725         (A):
726
727 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
728
729         [JSC] PrivateName to PublicName hash table is wasteful
730         https://bugs.webkit.org/show_bug.cgi?id=194277
731
732         Reviewed by Michael Saboff.
733
734         This test depends on the order of JSSegmentedVariableObjects' variables, which is not guaranteed in JSC. Skipped.
735
736         * ChakraCore.yaml:
737
738 2019-02-05  Dominik Infuehr  <dinfuehr@igalia.com>
739
740         [ARM] Test running out of executable memory
741         https://bugs.webkit.org/show_bug.cgi?id=194285
742
743         Unreviewed. Do no execute test with LLInt disabled, test runs out of
744         executable memory otherwise.
745
746         * stress/class-subclassing-function.js:
747
748 2019-02-04  Robin Morisset  <rmorisset@apple.com>
749
750         when lowering AssertNotEmpty, create the value before creating the patchpoint
751         https://bugs.webkit.org/show_bug.cgi?id=194231
752
753         Reviewed by Saam Barati.
754
755         This test is painfully fragile: it tries to test that AssertNotEmpty on a constant produces valid B3 IR.
756         The problem is that AssertNotEmpty is only created by DFGConstantFolding when it can simplify a CheckStructure, and constant folding is a bit capricious (https://bugs.webkit.org/show_bug.cgi?id=133947)
757         So even tiny changes to this test can change the path code taken.
758
759         * stress/assert-not-empty.js: Added.
760         (foo):
761
762 2019-02-01  Mark Lam  <mark.lam@apple.com>
763
764         Remove invalid assertion in DFG's compileDoubleRep().
765         https://bugs.webkit.org/show_bug.cgi?id=194130
766         <rdar://problem/47699474>
767
768         Reviewed by Saam Barati.
769
770         * stress/constant-fold-double-rep-into-double-constant.js: Added.
771
772 2019-01-30  Ross Kirsling  <ross.kirsling@sony.com>
773
774         Import latest Test262 updates.
775
776         Rubber-stamped by Keith Miller.
777
778         * test262.yaml: Deleted.
779         * test262/config.yaml:
780         * test262/expectations.yaml:
781         * test262/latest-changes-summary.txt:
782         * test262/test/:
783         * test262/test262-Revision.txt:
784
785 2019-01-30  Robin Morisset  <rmorisset@apple.com>
786
787         Object.keys can now lead to a PhantomNewArrayBuffer, OSR exit from the FTL should know how to materialize a NewArrayBuffer in that case
788         https://bugs.webkit.org/show_bug.cgi?id=194050
789         <rdar://problem/47595592>
790
791         Reviewed by Yusuke Suzuki.
792
793         * stress/object-keys-osr-exit.js: Added.
794         (foo):
795         (catch):
796
797 2019-01-29  Mark Lam  <mark.lam@apple.com>
798
799         ValueRecovery::recover() should purify NaN values it recovers.
800         https://bugs.webkit.org/show_bug.cgi?id=193978
801         <rdar://problem/47625488>
802
803         Reviewed by Saam Barati.
804
805         * stress/value-recovery-of-double-displaced-in-jsstack-should-be-purified.js: Added.
806
807 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
808
809         Unreviewed, fix the test after r240543 not to use @Error / Error in builtins
810         https://bugs.webkit.org/show_bug.cgi?id=193713
811
812         * stress/try-get-by-id-should-spill-registers-dfg.js:
813         (let.f.createBuiltin):
814
815 2019-01-28  Mark Lam  <mark.lam@apple.com>
816
817         ToString node actually does GC.
818         https://bugs.webkit.org/show_bug.cgi?id=193920
819         <rdar://problem/46695900>
820
821         Reviewed by Yusuke Suzuki.
822
823         * stress/dfg-to-string-on-int-does-gc.js: Added.
824         * stress/dfg-to-string-on-string-object-does-not-gc.js: Added.
825         * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js: Added.
826
827 2019-01-25  Yusuke Suzuki  <ysuzuki@apple.com>
828
829         [JSC] NativeErrorConstructor should not have own IsoSubspace
830         https://bugs.webkit.org/show_bug.cgi?id=193713
831
832         Reviewed by Saam Barati.
833
834         Remove @Error use.
835
836         * stress/try-get-by-id-should-spill-registers-dfg.js:
837         (let.f.createBuiltin):
838
839 2019-01-24  Yusuke Suzuki  <ysuzuki@apple.com>
840
841         stress/const-semantics.js fails a dfg-eager / ftl-eager run with an ASAN release build.
842         https://bugs.webkit.org/show_bug.cgi?id=190693
843
844         Reviewed by Michael Saboff.
845
846         * stress/regress-190693.js: Added.
847         (truth):
848         (assert):
849         (shouldThrowInvalidConstAssignment):
850         (taz):
851
852 2019-01-24  Saam Barati  <sbarati@apple.com>
853
854         Object Allocation Sinking phase can move a node that walks the stack into a place where the InlineCallFrame is no longer valid
855         https://bugs.webkit.org/show_bug.cgi?id=193751
856         <rdar://problem/47280215>
857
858         Reviewed by Michael Saboff.
859
860         * stress/object-allocation-sinking-phase-must-only-move-allocations-if-stack-trace-is-still-valid.js: Added.
861         (let.thing):
862         (foo.let.hello):
863         (foo):
864
865 2019-01-24  Guillaume Emont  <guijemont@igalia.com>
866
867         [JSC] Reenable baseline JIT on mips
868         https://bugs.webkit.org/show_bug.cgi?id=192983
869
870         Reviewed by Mark Lam.
871
872         Added a new test for a case that was triggering a RELEASE_ASSERT when
873         testing.
874         Disable some slow tests that were already disabled for arm and x86.
875
876         * stress/json-parse-big-object.js: Added.
877         * stress/new-largeish-contiguous-array-with-size.js:
878         * stress/op_add.js:
879         * stress/op_bitand.js:
880         * stress/op_bitor.js:
881         * stress/op_bitxor.js:
882         * stress/op_lshift-ConstVar.js:
883         * stress/op_lshift-VarConst.js:
884         * stress/op_lshift-VarVar.js:
885         * stress/op_mod-ConstVar.js:
886         * stress/op_mod-VarConst.js:
887         * stress/op_mod-VarVar.js:
888         * stress/op_mul-ConstVar.js:
889         * stress/op_mul-VarConst.js:
890         * stress/op_mul-VarVar.js:
891         * stress/op_rshift-ConstVar.js:
892         * stress/op_rshift-VarConst.js:
893         * stress/op_rshift-VarVar.js:
894         * stress/op_sub-ConstVar.js:
895         * stress/op_sub-VarConst.js:
896         * stress/op_sub-VarVar.js:
897         * stress/op_urshift-ConstVar.js:
898         * stress/op_urshift-VarConst.js:
899         * stress/op_urshift-VarVar.js:
900         * stress/sampling-profiler-richards.js:
901         * stress/spread-forward-call-varargs-stack-overflow.js:
902
903 2019-01-23  Yusuke Suzuki  <ysuzuki@apple.com>
904
905         [DFG] AvailabilityMap::pruneByLiveness should make non-live operands Availability::unavailable instead of Availability()
906         https://bugs.webkit.org/show_bug.cgi?id=193711
907         <rdar://problem/47250262>
908
909         Reviewed by Saam Barati.
910
911         * stress/availability-was-cleared-when-locals-are-not-live.js: Added.
912         (shouldBe):
913         (foo):
914         (bar):
915         (baz):
916
917 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
918
919         Unreviewed, fix initial global lexical binding epoch
920         https://bugs.webkit.org/show_bug.cgi?id=193603
921         <rdar://problem/47380869>
922
923         * stress/global-lexical-binding-epoch-should-be-correct-one.js: Added.
924         (f1.f2.f3.f4):
925         (f1.f2.f3):
926         (f1.f2):
927         (f1):
928
929 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
930
931         REGRESSION(r239612) Crash at runtime due to broken DFG assumption
932         https://bugs.webkit.org/show_bug.cgi?id=193709
933         <rdar://problem/47363838>
934
935         Unreviewed, rollout to watch the tests.
936
937         * stress/object-tostring-changed-proto.js: Removed.
938         * stress/object-tostring-changed.js: Removed.
939         * stress/object-tostring-misc.js: Removed.
940         * stress/object-tostring-other.js: Removed.
941         * stress/object-tostring-untyped.js: Removed.
942
943 2019-01-22  Saam Barati  <sbarati@apple.com>
944
945         Unreviewed. Rollout r240223. It regressed JetStream2 by 1%.
946
947         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
948         (testUncheckedBetweenIntMinInclusiveAndZeroExclusive):
949         (testUncheckedLessThanZero):
950         (testUncheckedLessThanOrEqualZero):
951         * stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Removed.
952         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Removed.
953
954 2019-01-22  Yusuke Suzuki  <ysuzuki@apple.com>
955
956         [JSC] Invalidate old scope operations using global lexical binding epoch
957         https://bugs.webkit.org/show_bug.cgi?id=193603
958         <rdar://problem/47380869>
959
960         Reviewed by Saam Barati.
961
962         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
963         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
964         (shouldThrow):
965         (bar):
966         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
967         (shouldBe):
968         (get1):
969         (get2):
970         (get1If):
971         (get2If):
972         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
973         (shouldThrow):
974         (foo):
975
976 2019-01-21  Yusuke Suzuki  <ysuzuki@apple.com>
977
978         Unreviewed, roll out r240220 due to date-format-xparb regression
979         https://bugs.webkit.org/show_bug.cgi?id=193603
980
981         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
982         * stress/scope-operation-cache-global-property-before-deleting.js: Removed.
983         * stress/scope-operation-cache-global-property-bump-counter.js: Removed.
984         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Removed.
985
986 2019-01-21  Caio Lima  <ticaiolima@gmail.com>
987
988         DoesGC rule is wrong for nodes with BigIntUse
989         https://bugs.webkit.org/show_bug.cgi?id=193652
990
991         Reviewed by Saam Barati.
992
993         * stress/big-int-value-op-update-gc-rules.js: Added.
994         (assert):
995         (doesGCAdd):
996         (doesGCSub):
997         (doesGCDiv):
998         (doesGCMul):
999         (doesGCBitAnd):
1000         (doesGCBitOr):
1001         (doesGCBitXor):
1002
1003 2019-01-20  Saam Barati  <sbarati@apple.com>
1004
1005         DFG: When inlining DataView set* intrinsics we need to set undefined as our result
1006         https://bugs.webkit.org/show_bug.cgi?id=193644
1007         <rdar://problem/46209745>
1008
1009         Reviewed by Yusuke Suzuki.
1010
1011         * stress/data-view-set-intrinsic-undefined-result-2.js: Added.
1012         (foo):
1013         * stress/data-view-set-intrinsic-undefined-result.js: Added.
1014         (foo):
1015         (bar):
1016
1017 2019-01-20  Saam Barati  <sbarati@apple.com>
1018
1019         MovHint must merge NodeBytecodeUsesAsValue for its child
1020         https://bugs.webkit.org/show_bug.cgi?id=186916
1021         <rdar://problem/41396612>
1022
1023         Reviewed by Yusuke Suzuki.
1024
1025         * stress/arith-abs-to-arith-negate-range-optimizaton.js:
1026         * stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
1027
1028 2019-01-20  Yusuke Suzuki  <ysuzuki@apple.com>
1029
1030         [JSC] Invalidate old scope operations using global lexical binding epoch
1031         https://bugs.webkit.org/show_bug.cgi?id=193603
1032         <rdar://problem/47380869>
1033
1034         Reviewed by Saam Barati.
1035
1036         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js:
1037         * stress/scope-operation-cache-global-property-before-deleting.js: Added.
1038         (shouldThrow):
1039         (bar):
1040         * stress/scope-operation-cache-global-property-bump-counter.js: Added.
1041         (shouldBe):
1042         (get1):
1043         (get2):
1044         (get1If):
1045         (get2If):
1046         * stress/scope-operation-cache-global-property-even-if-it-fails.js: Added.
1047         (shouldThrow):
1048         (foo):
1049
1050 2019-01-17  Saam barati  <sbarati@apple.com>
1051
1052         StringObjectUse should not be a structure check for the original string object structure
1053         https://bugs.webkit.org/show_bug.cgi?id=193483
1054         <rdar://problem/47280522>
1055
1056         Reviewed by Yusuke Suzuki.
1057
1058         * stress/cant-eliminate-string-object-structure-check-when-string-object-is-proven.js: Added.
1059         (foo):
1060         (a.valueOf.0):
1061
1062 2019-01-17  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1063
1064         [JSC] ToThis omission in DFGByteCodeParser is wrong
1065         https://bugs.webkit.org/show_bug.cgi?id=193513
1066         <rdar://problem/45842236>
1067
1068         Reviewed by Saam Barati.
1069
1070         * stress/to-this-omission-with-different-strict-modes.js: Added.
1071         (thisA):
1072         (thisAStrictWrapper):
1073
1074 2019-01-15  Mark Lam  <mark.lam@apple.com>
1075
1076         JSFunction::canUseAllocationProfile() should account for builtin functions with no own prototypes.
1077         https://bugs.webkit.org/show_bug.cgi?id=193423
1078         <rdar://problem/46209355>
1079
1080         Reviewed by Saam Barati.
1081
1082         * microbenchmarks/sinkable-new-object-with-builtin-constructor.js: Added.
1083         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-1.js: Added.
1084         * stress/constructing-builtin-functions-with-getter-prototype-should-only-call-getter-once-per-new-2.js: Added.
1085         * stress/jsfunction-cannot-use-allocation-profile-with-builtin-functions-with-no-prototype.js: Added.
1086
1087 2019-01-15  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1088
1089         [JSC] Use KnownStringUse for GetByVal(Array::String) since AI would offer wider type information and offer non-string type after removing Check(String)
1090         https://bugs.webkit.org/show_bug.cgi?id=193438
1091         <rdar://problem/45581249>
1092
1093         Reviewed by Saam Barati and Keith Miller.
1094
1095         Under the heavy load (like, compiling WebKit), AI in this code can broaden type information after the 1st run.
1096         Then, GetByVal(String) crashed.
1097
1098         * stress/string-get-by-val-lowering.js: Added.
1099         (shouldBe):
1100         (test):
1101         * stress/type-for-get-by-val-can-be-widen-after-ai.js: Added.
1102         (Hello):
1103         (foo):
1104
1105 2019-01-15  Tomas Popela  <tpopela@redhat.com>
1106
1107         Unreviewed, skip JIT tests if it's not enabled
1108
1109         * stress/bit-op-with-object-returning-int32.js:
1110
1111 2019-01-15  Caio Lima  <ticaiolima@gmail.com>
1112
1113         DFGByteCodeParser rules for bitwise operations should consider type of their operands
1114         https://bugs.webkit.org/show_bug.cgi?id=192966
1115
1116         Reviewed by Yusuke Suzuki.
1117
1118         * stress/bit-op-with-object-returning-int32.js: Added.
1119
1120 2019-01-15  Guillaume Emont  <guijemont@igalia.com>
1121
1122         Skip a slow test and a flakey test on arm
1123
1124         Unreviewed gardening.
1125
1126         * typeProfiler/getter-richards.js:
1127         this test always times out, it used to be always skipped on arm and
1128         mips, but got accidentally enabled by r237919 now that we have DFG on
1129         arm. Also skipping on mips as we plan to soon enable DFG for it too.
1130
1131 2019-01-14  Keith Miller  <keith_miller@apple.com>
1132
1133         Skip type-check-hoisting-phase-hoist... with no jit
1134         https://bugs.webkit.org/show_bug.cgi?id=193421
1135
1136         Reviewed by Mark Lam.
1137
1138         It's timing out the 32-bit bots and takes 330 seconds
1139         on my machine when run by itself.
1140
1141         * stress/type-check-hoisting-phase-hoist-check-structure-on-tdz-this-value.js:
1142
1143 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1144
1145         [JSC] AI should check the given constant's array type when folding GetByVal into constant
1146         https://bugs.webkit.org/show_bug.cgi?id=193413
1147         <rdar://problem/46092389>
1148
1149         Reviewed by Keith Miller.
1150
1151         This test is super flaky. It causes crash in r238109, but it does not crash with `--useConcurrentJIT=false`.
1152         It does not cause any crashes on the latest revision too. Basically, it highly depends on the timing, and
1153         without this patch, the root cause is not fixed yet. If GetLocal is turned into JSConstant in AI,
1154         but GetByVal does not have appropriate ArrayModes, JSC crashes.
1155
1156         * stress/ai-should-perform-array-check-on-get-by-val-constant-folding.js: Added.
1157         (compareArray):
1158
1159 2019-01-14  Caio Lima  <ticaiolima@gmail.com>
1160
1161         [BigInt] Literal parsing is crashing when used inside a Object Literal
1162         https://bugs.webkit.org/show_bug.cgi?id=193404
1163
1164         Reviewed by Yusuke Suzuki.
1165
1166         * stress/big-int-literal-inside-literal-object.js: Added.
1167
1168 2019-01-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1169
1170         [JSC] Do not use asArrayModes() with Structures because it discards TypedArray information
1171         https://bugs.webkit.org/show_bug.cgi?id=193372
1172
1173         Reviewed by Saam Barati.
1174
1175         * stress/typed-array-array-modes-profile.js: Added.
1176         (foo):
1177
1178 2019-01-14  Mark Lam  <mark.lam@apple.com>
1179
1180         Fix all CLoop JSC test failures (including some LLInt bugs due to recent bytecode format change).
1181         https://bugs.webkit.org/show_bug.cgi?id=193402
1182         <rdar://problem/46012309>
1183
1184         Reviewed by Keith Miller.
1185
1186         * stress/regexp-compile-oom.js:
1187         - Skip this test for !$jitTests because it is tuned for stack usage when the JIT
1188           is enabled.  As a result, it will fail on cloop builds though there is no bug.
1189
1190 2019-01-11  Saam barati  <sbarati@apple.com>
1191
1192         DFG combined liveness can be wrong for terminal basic blocks
1193         https://bugs.webkit.org/show_bug.cgi?id=193304
1194         <rdar://problem/45268632>
1195
1196         Reviewed by Yusuke Suzuki.
1197
1198         * stress/dfg-combined-liveness-consider-terminal-blocks-bytecode-liveness.js: Added.
1199
1200 2019-01-11  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1201
1202         [JSC] Global lexical bindings can shadow global variables if it is `configurable = true`
1203         https://bugs.webkit.org/show_bug.cgi?id=193308
1204         <rdar://problem/45546542>
1205
1206         Reviewed by Saam Barati.
1207
1208         * stress/const-lexical-binding-shadow-existing-global-property-ftl.js: Added.
1209         (shouldThrow):
1210         (shouldBe):
1211         (foo):
1212         (get shouldThrow):
1213         * stress/const-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
1214         (shouldThrow):
1215         (shouldBe):
1216         (foo):
1217         (get shouldBe):
1218         (get shouldThrow):
1219         (get return):
1220         * stress/const-lexical-binding-shadow-existing-global-property-tdz.js: Added.
1221         (shouldThrow):
1222         (shouldBe):
1223         (foo):
1224         (get shouldBe):
1225         (get shouldThrow):
1226         * stress/const-lexical-binding-shadow-existing-global-property.js: Added.
1227         (shouldThrow):
1228         (shouldBe):
1229         (foo):
1230         * stress/const-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
1231         (shouldThrow):
1232         (shouldBe):
1233         (foo):
1234         * stress/global-add-function-should-not-be-shadowed-by-lexical-bindings.js: Added.
1235         (shouldThrow):
1236         * stress/global-static-variables-should-not-be-shadowed-by-lexical-bindings.js: Added.
1237         (shouldThrow):
1238         * stress/let-lexical-binding-shadow-existing-global-property-ftl.js: Added.
1239         (shouldThrow):
1240         (shouldBe):
1241         (foo):
1242         * stress/let-lexical-binding-shadow-existing-global-property-tdz-ftl.js: Added.
1243         (shouldThrow):
1244         (shouldBe):
1245         (foo):
1246         (get shouldBe):
1247         (get shouldThrow):
1248         (get return):
1249         * stress/let-lexical-binding-shadow-existing-global-property-tdz.js: Added.
1250         (shouldThrow):
1251         (shouldBe):
1252         (foo):
1253         (get shouldBe):
1254         (get shouldThrow):
1255         * stress/let-lexical-binding-shadow-existing-global-property.js: Added.
1256         (shouldThrow):
1257         (shouldBe):
1258         (foo):
1259         * stress/let-lexical-binding-shadowing-global-properties-and-eval-injection.js: Added.
1260         (shouldThrow):
1261         (shouldBe):
1262         (foo):
1263
1264 2019-01-11  Dominik Infuehr  <dinfuehr@igalia.com>
1265
1266         Enable DFG on ARM/Linux again
1267         https://bugs.webkit.org/show_bug.cgi?id=192496
1268
1269         Reviewed by Yusuke Suzuki.
1270
1271         Test wasn't really skipped before moving the line with skip
1272         to the top.
1273
1274         * stress/regress-192717.js:
1275
1276 2019-01-10  Commit Queue  <commit-queue@webkit.org>
1277
1278         Unreviewed, rolling out r239825.
1279         https://bugs.webkit.org/show_bug.cgi?id=193330
1280
1281         Broke tests on armv7/linux bots (Requested by guijemont on
1282         #webkit).
1283
1284         Reverted changeset:
1285
1286         "Enable DFG on ARM/Linux again"
1287         https://bugs.webkit.org/show_bug.cgi?id=192496
1288         https://trac.webkit.org/changeset/239825
1289
1290 2019-01-10  Dominik Infuehr  <dinfuehr@igalia.com>
1291
1292         Enable DFG on ARM/Linux again
1293         https://bugs.webkit.org/show_bug.cgi?id=192496
1294
1295         Reviewed by Yusuke Suzuki.
1296
1297         Test wasn't really skipped before moving the line with skip
1298         to the top.
1299
1300         * stress/regress-192717.js:
1301
1302 2019-01-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1303
1304         Array.prototype.flat/flatMap have a minor bug in ArraySpeciesCreate
1305         https://bugs.webkit.org/show_bug.cgi?id=193127
1306
1307         Reviewed by Saam Barati.
1308
1309         * stress/array-species-create-should-handle-masquerader.js: Added.
1310         (shouldThrow):
1311         * stress/is-undefined-or-null-builtin.js: Added.
1312         (shouldBe):
1313         (isUndefinedOrNull.vm.createBuiltin):
1314
1315 2019-01-08  Tadeu Zagallo  <tzagallo@apple.com>
1316
1317         LLInt put_by_id uses the wrong load instruction for loading flags from the metadata
1318         https://bugs.webkit.org/show_bug.cgi?id=193221
1319
1320         Reviewed by Mark Lam.
1321
1322         * stress/put-by-id-flags.js: Added.
1323         (f):
1324         (g):
1325         (numberOfDFGCompiles):
1326
1327 2019-01-04  Tadeu Zagallo  <tzagallo@apple.com>
1328
1329         Baseline version of get_by_id may corrupt metadata
1330         https://bugs.webkit.org/show_bug.cgi?id=193085
1331         <rdar://problem/23453006>
1332
1333         Reviewed by Saam Barati.
1334
1335         * stress/get-by-id-change-mode.js: Added.
1336         (forEach):
1337
1338 2019-01-02  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1339
1340         [JSC] Optimize Object.prototype.toString
1341         https://bugs.webkit.org/show_bug.cgi?id=193031
1342
1343         Reviewed by Saam Barati.
1344
1345         * stress/object-tostring-changed-proto.js: Added.
1346         (shouldBe):
1347         (test):
1348         * stress/object-tostring-changed.js: Added.
1349         (shouldBe):
1350         (test):
1351         * stress/object-tostring-misc.js: Added.
1352         (shouldBe):
1353         (test):
1354         (i.switch):
1355         * stress/object-tostring-other.js: Added.
1356         (shouldBe):
1357         (test):
1358         * stress/object-tostring-untyped.js: Added.
1359         (shouldBe):
1360         (test):
1361         (i.switch):
1362
1363 2019-01-03  Ross Kirsling  <ross.kirsling@sony.com>
1364
1365         test262-runner misbehaves when test file YAML has a trailing space
1366         https://bugs.webkit.org/show_bug.cgi?id=193053
1367
1368         Reviewed by Yusuke Suzuki.
1369
1370         * test262/expectations.yaml:
1371         Mark two dozen tests as passing (and correct the output of another).
1372
1373 2018-12-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1374
1375         Unreviewed, JSTests gardening with memoryLimited
1376
1377         * stress/string-overflow-createError.js:
1378
1379 2018-12-30  Ross Kirsling  <ross.kirsling@sony.com>
1380
1381         [JSC] Identifier validity should be based on ID_Start / ID_Continue properties
1382         https://bugs.webkit.org/show_bug.cgi?id=193050
1383
1384         Reviewed by Yusuke Suzuki.
1385
1386         * test262.yaml:
1387         * test262/expectations.yaml:
1388         Mark 16 tests as passing.
1389
1390 2018-12-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1391
1392         [BigInt] Support BigInt in JSON.stringify
1393         https://bugs.webkit.org/show_bug.cgi?id=192624
1394
1395         Reviewed by Saam Barati.
1396
1397         * stress/big-int-json-stringify-to-json.js: Added.
1398         (shouldBe):
1399         (shouldThrow):
1400         (BigInt.prototype.toJSON):
1401         (shouldBe.JSON.stringify):
1402         * stress/big-int-json-stringify.js: Added.
1403         (shouldBe):
1404         (shouldThrow):
1405
1406 2018-12-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1407
1408         [JSC] Implement "well-formed JSON.stringify" proposal
1409         https://bugs.webkit.org/show_bug.cgi?id=191677
1410
1411         Reviewed by Darin Adler.
1412
1413         * stress/json-surrogate-pair.js: Added.
1414         (shouldBe):
1415         * test262/expectations.yaml:
1416
1417 2018-12-20  Keith Miller  <keith_miller@apple.com>
1418
1419         Add support for globalThis
1420         https://bugs.webkit.org/show_bug.cgi?id=165171
1421
1422         Reviewed by Mark Lam.
1423
1424         * test262/config.yaml:
1425
1426 2018-12-19  Keith Miller  <keith_miller@apple.com>
1427
1428         Update test262 configuration to not run tests dependent on ICU version.
1429         https://bugs.webkit.org/show_bug.cgi?id=192920
1430
1431         Reviewed by Saam Barati.
1432
1433         * test262/expectations.yaml:
1434
1435 2018-12-20  Mark Lam  <mark.lam@apple.com>
1436
1437         Fix a typo in slow_path_construct_arityCheck and operationConstructArityCheck.
1438         https://bugs.webkit.org/show_bug.cgi?id=192939
1439         <rdar://problem/46869516>
1440
1441         Reviewed by Keith Miller.
1442
1443         * stress/stack-overflow-frame-for-construct-arityCheck-should-use-construct-codeBlock.js: Added.
1444
1445 2018-12-20  Tadeu Zagallo  <tzagallo@apple.com>
1446
1447         WTF::String and StringImpl overflow MaxLength
1448         https://bugs.webkit.org/show_bug.cgi?id=192853
1449         <rdar://problem/45726906>
1450
1451         Reviewed by Mark Lam.
1452
1453         * stress/string-16bit-repeat-overflow.js: Added.
1454         (catch):
1455
1456 2018-12-19  Ross Kirsling  <ross.kirsling@sony.com>
1457
1458         Unreviewed follow-up to r192914.
1459
1460         * test262/expectations.yaml:
1461         Add the last 20 missing expectations.
1462
1463 2018-12-19  Keith Miller  <keith_miller@apple.com>
1464
1465         Fix test262 expectations
1466         https://bugs.webkit.org/show_bug.cgi?id=192914
1467
1468         Unreviewed, when I imported the latest round of test262 tests I must have failed to update the test expectations.
1469
1470         * test262/expectations.yaml:
1471
1472 2018-12-19  Keith Miller  <keith_miller@apple.com>
1473
1474         Update test262 tests.
1475         https://bugs.webkit.org/show_bug.cgi?id=192907
1476
1477         Rubber stamped by Mark Lam.
1478
1479         * test262/*: Omitted because prepare-changelog crashes.
1480
1481 2018-12-19  Mark Lam  <mark.lam@apple.com>
1482
1483         JSPropertyNameEnumerator should cache the iterated object's structure only after getting its property names.
1484         https://bugs.webkit.org/show_bug.cgi?id=192464
1485         <rdar://problem/46519455>
1486
1487         Reviewed by Saam Barati.
1488
1489         This patch is about a 10% speed up on the new for-in-on-object-with-lazily-materialized-properties.js
1490         microbenchmark.
1491
1492         * microbenchmarks/for-in-on-object-with-lazily-materialized-properties.js: Added.
1493         * stress/property-name-enumerator-should-cache-structure-after-getting-property-names.js: Added.
1494
1495 2018-12-19  Tadeu Zagallo  <tzagallo@apple.com>
1496
1497         String overflow in JSC::createError results in ASSERT in WTF::makeString
1498         https://bugs.webkit.org/show_bug.cgi?id=192833
1499         <rdar://problem/45706868>
1500
1501         Reviewed by Mark Lam.
1502
1503         * stress/string-overflow-createError.js: Added.
1504
1505 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1506
1507         Error message for `-x ** y` contains a typo.
1508         https://bugs.webkit.org/show_bug.cgi?id=192832
1509
1510         Reviewed by Saam Barati.
1511
1512         * ChakraCore/test/UnitTestFramework/UnitTestFramework.js:
1513         (assert.assert.return.throws):
1514         * stress/pow-expects-update-expression-on-lhs.js:
1515         (throw.new.Error):
1516         Update test expectations which match against the exact error message.
1517
1518 2018-12-18  Mark Lam  <mark.lam@apple.com>
1519
1520         Gardening: test options fix.
1521         https://bugs.webkit.org/show_bug.cgi?id=192822
1522
1523         Unreviewed.
1524
1525         * stress/json-stringify-string-builder-overflow.js:
1526
1527 2018-12-18  Mark Lam  <mark.lam@apple.com>
1528
1529         JSON.stringify() should throw OOM on StringBuilder overflows.
1530         https://bugs.webkit.org/show_bug.cgi?id=192822
1531         <rdar://problem/46670577>
1532
1533         Reviewed by Saam Barati.
1534
1535         * stress/json-stringify-string-builder-overflow.js: Added.
1536
1537 2018-12-18  Ross Kirsling  <ross.kirsling@sony.com>
1538
1539         Redeclaration of var over let/const/class should be a syntax error.
1540         https://bugs.webkit.org/show_bug.cgi?id=192298
1541
1542         Reviewed by Keith Miller.
1543
1544         * test262.yaml:
1545         * test262/expectations.yaml:
1546         Mark 46 tests as passing.
1547
1548         * stress/block-scope-redeclarations.js:
1549         Add some new tests.
1550
1551         * stress/for-in-invalidate-context-weird-assignments.js:
1552         * stress/for-in-tests.js:
1553         Replace tests for outdated behavior with tests for SyntaxError.
1554
1555         * ChakraCore/test/LetConst/defer3.baseline-jsc:
1556         * ChakraCore/test/LetConst/letvar.baseline-jsc:
1557         Update expectations.
1558
1559 2018-12-18  Mark Lam  <mark.lam@apple.com>
1560
1561         Skip the stress/elidable-new-object-roflcopter-then-exit.js test on 32-bit.
1562         https://bugs.webkit.org/show_bug.cgi?id=191374
1563         <rdar://problem/46525447>
1564
1565         Reviewed by Yusuke Suzuki.
1566
1567         This test runs too slow on 32-bit, and is not relevant for non-JIT builds.
1568
1569         * stress/elidable-new-object-roflcopter-then-exit.js:
1570
1571 2018-12-17  Mark Lam  <mark.lam@apple.com>
1572
1573         Skip the stress/materialized-regexp-has-correct-last-index-set-by-match.js test on 32-bit.
1574         https://bugs.webkit.org/show_bug.cgi?id=192019
1575         <rdar://problem/46525456>
1576
1577         Reviewed by Yusuke Suzuki.
1578
1579         The test runs too slow on 32-bit.
1580
1581         * stress/materialized-regexp-has-correct-last-index-set-by-match.js:
1582
1583 2018-12-17  Mark Lam  <mark.lam@apple.com>
1584
1585         Skip the stress/materialize-regexp-cyclic-regexp.js test on 32-bit.
1586         https://bugs.webkit.org/show_bug.cgi?id=191373
1587         <rdar://problem/46525458>
1588
1589         Reviewed by Yusuke Suzuki.
1590
1591         The test is already slow running with a JIT on 64-bit.  It will always timeout
1592         on 32-bit without a JIT.
1593
1594         * stress/materialize-regexp-cyclic-regexp.js:
1595
1596 2018-12-17  Mark Lam  <mark.lam@apple.com>
1597
1598         Array unshift/shift should not race against the AI in the compiler thread.
1599         https://bugs.webkit.org/show_bug.cgi?id=192795
1600         <rdar://problem/46724263>
1601
1602         Reviewed by Saam Barati.
1603
1604         * stress/array-unshift-should-not-race-against-compiler-thread.js: Added.
1605
1606 2018-12-16  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1607
1608         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
1609         https://bugs.webkit.org/show_bug.cgi?id=190047
1610
1611         Reviewed by Saam Barati.
1612
1613         * stress/object-keys-cached-zero.js: Added.
1614         (shouldBe):
1615         (test):
1616         * stress/object-keys-changed-attribute.js: Added.
1617         (shouldBe):
1618         (test):
1619         * stress/object-keys-changed-index.js: Added.
1620         (shouldBe):
1621         (test):
1622         * stress/object-keys-changed.js: Added.
1623         (shouldBe):
1624         (test):
1625         * stress/object-keys-indexed-non-cache.js: Added.
1626         (shouldBe):
1627         (test):
1628         * stress/object-keys-overrides-get-property-names.js: Added.
1629         (shouldBe):
1630         (test):
1631         (noInline):
1632
1633 2018-12-17  Mark Lam  <mark.lam@apple.com>
1634
1635         SamplingProfiler's isValidFramePointer() should reject address at stack origin.
1636         https://bugs.webkit.org/show_bug.cgi?id=192779
1637         <rdar://problem/46775869>
1638
1639         Reviewed by Saam Barati.
1640
1641         * stress/sampling-profiler-should-not-sample-beyond-stack-bounds.js: Added.
1642
1643 2018-12-17  Ryan Haddad  <ryanhaddad@apple.com>
1644
1645         Unreviewed test gardening, address a syntax error in a new test.
1646
1647         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js:
1648
1649 2018-12-17  Mark Lam  <mark.lam@apple.com>
1650
1651         Suppress ASAN on valid stack accesses in Probe-based OSRExit::executeOSRExit().
1652         https://bugs.webkit.org/show_bug.cgi?id=192776
1653         <rdar://problem/46772368>
1654
1655         Reviewed by Keith Miller.
1656
1657         * stress/out-of-frame-stack-accesses-due-to-probe-based-osr-exits.js: Added.
1658
1659 2018-12-17  Mark Lam  <mark.lam@apple.com>
1660
1661         Fix stale assertion in attemptToForceStringArrayModeByToStringConversion().
1662         https://bugs.webkit.org/show_bug.cgi?id=192770
1663         <rdar://problem/46449037>
1664
1665         Reviewed by Keith Miller.
1666
1667         * stress/force-string-arrayMode-on-originalNonArray-array-class.js: Added.
1668
1669 2018-12-14  Mark Lam  <mark.lam@apple.com>
1670
1671         CallFrame::convertToStackOverflowFrame() needs to keep the top CodeBlock alive.
1672         https://bugs.webkit.org/show_bug.cgi?id=192717
1673         <rdar://problem/46660677>
1674
1675         Reviewed by Saam Barati.
1676
1677         * stress/regress-192717.js: Added.
1678
1679 2018-12-14  Commit Queue  <commit-queue@webkit.org>
1680
1681         Unreviewed, rolling out r239153, r239154, and r239155.
1682         https://bugs.webkit.org/show_bug.cgi?id=192715
1683
1684         Caused flaky GC-related crashes seen with layout tests
1685         (Requested by ryanhaddad on #webkit).
1686
1687         Reverted changesets:
1688
1689         "[JSC] Optimize Object.keys by caching own keys results in
1690         StructureRareData"
1691         https://bugs.webkit.org/show_bug.cgi?id=190047
1692         https://trac.webkit.org/changeset/239153
1693
1694         "Unreviewed, build fix after r239153"
1695         https://bugs.webkit.org/show_bug.cgi?id=190047
1696         https://trac.webkit.org/changeset/239154
1697
1698         "Unreviewed, build fix after r239153, part 2"
1699         https://bugs.webkit.org/show_bug.cgi?id=190047
1700         https://trac.webkit.org/changeset/239155
1701
1702 2018-12-14  Keith Miller  <keith_miller@apple.com>
1703
1704         Callers of JSString::getIndex should check for OOM exceptions
1705         https://bugs.webkit.org/show_bug.cgi?id=192709
1706
1707         Reviewed by Mark Lam.
1708
1709         * stress/StringObject-define-length-getter-rope-string-oom.js: Added.
1710
1711 2018-12-13  Mark Lam  <mark.lam@apple.com>
1712
1713         Add a missing exception check.
1714         https://bugs.webkit.org/show_bug.cgi?id=192626
1715         <rdar://problem/46662163>
1716
1717         Reviewed by Keith Miller.
1718
1719         * stress/regress-192626.js: Added.
1720
1721 2018-12-13  Caio Lima  <ticaiolima@gmail.com>
1722
1723         [BigInt] Add ValueDiv into DFG
1724         https://bugs.webkit.org/show_bug.cgi?id=186178
1725
1726         Reviewed by Yusuke Suzuki.
1727
1728         * stress/big-int-div-jit-osr.js: Added.
1729         * stress/big-int-div-jit-untyped.js: Added.
1730         * stress/value-div-fixup-int32-big-int.js: Added.
1731
1732 2018-12-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1733
1734         [JSC] Optimize Object.keys by caching own keys results in StructureRareData
1735         https://bugs.webkit.org/show_bug.cgi?id=190047
1736
1737         Reviewed by Keith Miller.
1738
1739         * stress/object-keys-cached-zero.js: Added.
1740         (shouldBe):
1741         (test):
1742         * stress/object-keys-changed-attribute.js: Added.
1743         (shouldBe):
1744         (test):
1745         * stress/object-keys-changed-index.js: Added.
1746         (shouldBe):
1747         (test):
1748         * stress/object-keys-changed.js: Added.
1749         (shouldBe):
1750         (test):
1751         * stress/object-keys-indexed-non-cache.js: Added.
1752         (shouldBe):
1753         (test):
1754         * stress/object-keys-overrides-get-property-names.js: Added.
1755         (shouldBe):
1756         (test):
1757         (noInline):
1758
1759 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1760
1761         [DFG][FTL] Add NewSymbol
1762         https://bugs.webkit.org/show_bug.cgi?id=192620
1763
1764         Reviewed by Saam Barati.
1765
1766         * microbenchmarks/symbol-creation.js: Added.
1767         (test):
1768         * stress/symbol-description-identity.js: Added.
1769         (shouldBe):
1770         (test):
1771         * stress/symbol-identity.js: Added.
1772         (shouldBe):
1773         (test):
1774         * stress/symbol-with-description-throw-error.js: Added.
1775         (shouldBe):
1776         (shouldThrow):
1777         (test):
1778         (object.toString):
1779
1780 2018-12-12  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1781
1782         [BigInt] Implement DFG/FTL typeof for BigInt
1783         https://bugs.webkit.org/show_bug.cgi?id=192619
1784
1785         Reviewed by Keith Miller.
1786
1787         * stress/big-int-boolean-proven-type.js: Added.
1788         (assert):
1789         (bool):
1790         * stress/big-int-type-of-proven-type-non-constant-including-symbol.js: Added.
1791         (assert):
1792         (typeOf):
1793         (i.switch):
1794         * stress/big-int-type-of-proven-type-non-constant.js: Added.
1795         (assert):
1796         (typeOf):
1797         * stress/big-int-type-of.js:
1798         (typeOf):
1799         (func):
1800
1801 2018-12-10  Mark Lam  <mark.lam@apple.com>
1802
1803         PropertyAttribute needs a CustomValue bit.
1804         https://bugs.webkit.org/show_bug.cgi?id=191993
1805         <rdar://problem/46264467>
1806
1807         Reviewed by Saam Barati.
1808
1809         * stress/regress-191993.js: Added.
1810
1811 2018-12-10  Caio Lima  <ticaiolima@gmail.com>
1812
1813         [BigInt] Add ValueMul into DFG
1814         https://bugs.webkit.org/show_bug.cgi?id=186175
1815
1816         Reviewed by Yusuke Suzuki.
1817
1818         * stress/big-int-mul-jit-osr.js: Added.
1819         * stress/big-int-mul-jit-untyped.js: Added.
1820         * stress/value-mul-fixup-int32-big-int.js: Added.
1821
1822 2018-12-06  Keith Miller  <keith_miller@apple.com>
1823
1824         stress/big-wasm-memory tests failing on 32-bit JSC bot
1825         https://bugs.webkit.org/show_bug.cgi?id=192020
1826
1827         Reviewed by Saam Barati.
1828
1829         Not every platform has WebAssembly, e.g. 32-bit, so we should exit
1830         the wasm stress tests if the WebAssembly object does not exist.
1831
1832         * stress/big-wasm-memory-grow-no-max.js:
1833         (test.foo):
1834         (test):
1835         (foo): Deleted.
1836         (catch): Deleted.
1837         * stress/big-wasm-memory-grow.js:
1838         (test.foo):
1839         (test):
1840         (foo): Deleted.
1841         (catch): Deleted.
1842         * stress/big-wasm-memory.js:
1843         (test.foo):
1844         (test):
1845         (foo): Deleted.
1846         (catch): Deleted.
1847
1848 2018-12-05  Mark Lam  <mark.lam@apple.com>
1849
1850         speculationFromCell() should speculate non-Identifier strings as SpecString instead of SpecStringVar.
1851         https://bugs.webkit.org/show_bug.cgi?id=192441
1852         <rdar://problem/46480355>
1853
1854         Reviewed by Saam Barati.
1855
1856         * stress/regress-192441.js: Added.
1857
1858 2018-12-04  Mark Lam  <mark.lam@apple.com>
1859
1860         DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility.
1861         https://bugs.webkit.org/show_bug.cgi?id=192386
1862         <rdar://problem/46445516>
1863
1864         Reviewed by Saam Barati.
1865
1866         * stress/regress-192386.js: Added.
1867
1868 2018-12-04  Caio Lima  <ticaiolima@gmail.com>
1869
1870         [ESNext][BigInt] Support logic operations
1871         https://bugs.webkit.org/show_bug.cgi?id=179903
1872
1873         Reviewed by Yusuke Suzuki.
1874
1875         * stress/big-int-branch-usage.js: Added.
1876         * stress/big-int-logical-and.js: Added.
1877         * stress/big-int-logical-not.js: Added.
1878         * stress/big-int-logical-or.js: Added.
1879
1880 2018-12-03  Ryan Haddad  <ryanhaddad@apple.com>
1881
1882         Unreviewed, rolling out r238833.
1883
1884         Breaks macOS and iOS debug builds.
1885
1886         Reverted changeset:
1887
1888         "[ESNext][BigInt] Support logic operations"
1889         https://bugs.webkit.org/show_bug.cgi?id=179903
1890         https://trac.webkit.org/changeset/238833
1891
1892 2018-12-03  Caio Lima  <ticaiolima@gmail.com>
1893
1894         [ESNext][BigInt] Support logic operations
1895         https://bugs.webkit.org/show_bug.cgi?id=179903
1896
1897         Reviewed by Yusuke Suzuki.
1898
1899         * stress/big-int-branch-usage.js: Added.
1900         * stress/big-int-logical-and.js: Added.
1901         * stress/big-int-logical-not.js: Added.
1902         * stress/big-int-logical-or.js: Added.
1903
1904 2018-12-02  Caio Lima  <ticaiolima@gmail.com>
1905
1906         [ESNext][BigInt] Implement support for "<<" and ">>"
1907         https://bugs.webkit.org/show_bug.cgi?id=186233
1908
1909         Reviewed by Yusuke Suzuki.
1910
1911         * stress/big-int-left-shift-general.js: Added.
1912         * stress/big-int-left-shift-range-error.js: Added.
1913         * stress/big-int-left-shift-type-error.js: Added.
1914         * stress/big-int-left-shift-wrapped-value.js: Added.
1915         * stress/big-int-right-shift-general.js: Added.
1916         * stress/big-int-right-shift-type-error.js: Added.
1917         * stress/big-int-right-shift-wrapped-value.js: Added.
1918         * stress/left-shift-to-primitive-precedence.js: Added.
1919         * stress/right-shift-to-primitive-precedence.js: Added.
1920
1921 2018-11-30  Dean Jackson  <dino@apple.com>
1922
1923         Add first-class support for .mjs files in jsc binary
1924         https://bugs.webkit.org/show_bug.cgi?id=192190
1925         <rdar://problem/46375715>
1926
1927         Reviewed by Keith Miller.
1928
1929         * stress/simple-module.mjs: Added.
1930         * stress/simple-script.js: Added.
1931
1932 2018-11-30  Caio Lima  <ticaiolima@gmail.com>
1933
1934         [BigInt] Implement ValueBitXor into DFG
1935         https://bugs.webkit.org/show_bug.cgi?id=190264
1936
1937         Reviewed by Yusuke Suzuki.
1938
1939         * stress/big-int-bitwise-xor-jit.js: Added.
1940         * stress/big-int-bitwise-xor-memory-stress.js: Added.
1941         * stress/big-int-bitwise-xor-untyped.js: Added.
1942
1943 2018-11-27  Saam barati  <sbarati@apple.com>
1944
1945         r238510 broke scopes of size zero
1946         https://bugs.webkit.org/show_bug.cgi?id=192033
1947         <rdar://problem/46281734>
1948
1949         Reviewed by Keith Miller.
1950
1951         * stress/r238510-bad-loop.js: Added.
1952         (foo):
1953
1954 2018-11-27  Mark Lam  <mark.lam@apple.com>
1955
1956         [Re-landing] NaNs read from Wasm code needs to be be purified.
1957         https://bugs.webkit.org/show_bug.cgi?id=191056
1958         <rdar://problem/45660341>
1959
1960         Reviewed by Filip Pizlo.
1961
1962         * wasm/regress/regress-191056.js: Added.
1963
1964 2018-11-27  Ryan Haddad  <ryanhaddad@apple.com>
1965
1966         Unreviewed, rolling out r238509.
1967
1968         Causes JSC tests to fail on iOS.
1969
1970         Reverted changeset:
1971
1972         "NaNs read from Wasm code needs to be be purified."
1973         https://bugs.webkit.org/show_bug.cgi?id=191056
1974         https://trac.webkit.org/changeset/238509
1975
1976 2018-11-26  Caio Lima  <ticaiolima@gmail.com>
1977
1978         Re-introduce op_bitnot
1979         https://bugs.webkit.org/show_bug.cgi?id=190923
1980
1981         Reviewed by Yusuke Suzuki.
1982
1983         * stress/bit-not-must-generate.js: Added.
1984         * stress/bitwise-not-no-int32.js: Added.
1985
1986 2018-11-26  Saam barati  <sbarati@apple.com>
1987
1988         InPlaceAbstractState::endBasicBlock rule for SetLocal should filter the value based on the flush format
1989         https://bugs.webkit.org/show_bug.cgi?id=191956
1990         <rdar://problem/45665806>
1991
1992         Reviewed by Yusuke Suzuki.
1993
1994         * stress/end-basic-block-set-local-should-filter-type.js: Added.
1995         (bar):
1996         (foo):
1997
1998 2018-11-26  Saam barati  <sbarati@apple.com>
1999
2000         Object allocation sinking phase needs to iterate each scope offset instead of just iterating the symbol table's hashmap when handling an activation
2001         https://bugs.webkit.org/show_bug.cgi?id=191958
2002         <rdar://problem/46221877>
2003
2004         Reviewed by Yusuke Suzuki.
2005
2006         * stress/object-allocation-sinking-phase-needs-to-write-to-each-scope-offset.js: Added.
2007         (x):
2008         (foo):
2009
2010 2018-11-26  Mark Lam  <mark.lam@apple.com>
2011
2012         NaNs read from Wasm code needs to be be purified.
2013         https://bugs.webkit.org/show_bug.cgi?id=191056
2014         <rdar://problem/45660341>
2015
2016         Reviewed by Filip Pizlo.
2017
2018         * wasm/regress/regress-191056.js: Added.
2019
2020 2018-11-26  Michael Saboff  <msaboff@apple.com>
2021
2022         32-bit JSC test failure: stress/regexp-compile-oom.js
2023         https://bugs.webkit.org/show_bug.cgi?id=191375
2024
2025         Reviewed by Mark Lam.
2026
2027         Disabled the test for 32 bit platforms.
2028
2029         * stress/regexp-compile-oom.js:
2030
2031 2018-11-26  Tadeu Zagallo  <tzagallo@apple.com>
2032
2033         ASSERTION FAILED: m_outOfLineJumpTargets.contains(bytecodeOffset)
2034         https://bugs.webkit.org/show_bug.cgi?id=191716
2035         <rdar://problem/45723878>
2036
2037         Reviewed by Saam Barati.
2038
2039         * stress/regress-187373.js: Added.
2040         (async.fn):
2041
2042 2018-11-21  Saam barati  <sbarati@apple.com>
2043
2044         DFGSpeculativeJIT should not &= exitOK with mayExit(node)
2045         https://bugs.webkit.org/show_bug.cgi?id=191897
2046         <rdar://problem/45871998>
2047
2048         Reviewed by Mark Lam.
2049
2050         * stress/exitok-is-not-the-same-as-mayExit.js: Added.
2051         (bar):
2052         (foo):
2053
2054 2018-11-21  Saam barati  <sbarati@apple.com>
2055
2056         Fix assertion in KnownCellUse inside SpeculativeJIT::speculate
2057         https://bugs.webkit.org/show_bug.cgi?id=191895
2058         <rdar://problem/46167406>
2059
2060         Reviewed by Mark Lam.
2061
2062         * stress/known-cell-use-needs-type-check-assertion.js: Added.
2063         (foo):
2064         (bar):
2065
2066 2018-11-21  Mark Lam  <mark.lam@apple.com>
2067
2068         Creating a wasm memory that is bigger than the ArrayBuffer limit but smaller than the spec limit should throw OOME not RangeError.
2069         https://bugs.webkit.org/show_bug.cgi?id=191776
2070         <rdar://problem/46152851>
2071
2072         Reviewed by Saam Barati.
2073
2074         * stress/big-wasm-memory-grow-no-max.js:
2075         * stress/big-wasm-memory-grow.js:
2076         * stress/big-wasm-memory.js:
2077         - updated these to expect an OutOfMemoryError.
2078
2079         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE-2.js: Added.
2080         (Binary.prototype.emit_u8):
2081         (Binary.prototype.emit_u32v):
2082         (Binary.prototype.emit_header):
2083         (Binary.prototype.emit_section):
2084         (Binary):
2085         (WasmModuleBuilder):
2086         (WasmModuleBuilder.prototype.addMemory):
2087         (WasmModuleBuilder.prototype.toArray):
2088         (WasmModuleBuilder.prototype.toBuffer):
2089         (WasmModuleBuilder.prototype.instantiate):
2090         (catch):
2091         * wasm/regress/wasm-memory-requested-more-than-MAX_ARRAY_BUFFER_SIZE.js: Added.
2092         (catch):
2093
2094 2018-11-21  Caio Lima  <ticaiolima@gmail.com>
2095
2096         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
2097         https://bugs.webkit.org/show_bug.cgi?id=190836
2098
2099         Reviewed by Saam Barati and Yusuke Suzuki.
2100
2101         * stress/big-int-out-of-memory-tests.js: Added.
2102
2103 2018-11-20  Mark Lam  <mark.lam@apple.com>
2104
2105         Remove invalid assertion in VMTraps::SignalSender's SignalAction.
2106         https://bugs.webkit.org/show_bug.cgi?id=191856
2107         <rdar://problem/46089992>
2108
2109         Reviewed by Yusuke Suzuki.
2110
2111         * stress/regress-191856.js: Added.
2112         - this test is skipped for now until we have a fix for webkit.org/b/191855.
2113
2114 2018-11-21  Dominik Infuehr  <dinfuehr@igalia.com>
2115
2116         Enable JIT on ARM/Linux
2117         https://bugs.webkit.org/show_bug.cgi?id=191548
2118
2119         Reviewed by Yusuke Suzuki.
2120
2121         Disable test on system with limited memory. Program was killed by
2122         the OS before the exception was thrown.
2123
2124         * slowMicrobenchmarks/function-constructor-with-huge-strings.js:
2125
2126 2018-11-20  Saam barati  <sbarati@apple.com>
2127
2128         Merging an IC variant may lead to the IC status containing overlapping structure sets
2129         https://bugs.webkit.org/show_bug.cgi?id=191869
2130         <rdar://problem/45403453>
2131
2132         Reviewed by Mark Lam.
2133
2134         * stress/merging-ic-variants-should-bail-if-structures-overlap.js: Added.
2135
2136 2018-11-19  Mark Lam  <mark.lam@apple.com>
2137
2138         globalFuncImportModule() should return a promise when it clears exceptions.
2139         https://bugs.webkit.org/show_bug.cgi?id=191792
2140         <rdar://problem/46090763>
2141
2142         Reviewed by Michael Saboff.
2143
2144         * stress/global-import-function-should-return-a-promise-when-clearing-exceptions.js: Added.
2145
2146 2018-11-19  Guillaume Emont  <guijemont@igalia.com>
2147
2148         Skip new memory-hungry tests on memory limited devices
2149
2150         Unreviewed gardening.
2151
2152         * stress/big-wasm-memory-grow-no-max.js:
2153         * stress/big-wasm-memory-grow.js:
2154         * stress/big-wasm-memory.js:
2155
2156 2018-11-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2157
2158         Unreviewed, rolling in the rest of r237254
2159         https://bugs.webkit.org/show_bug.cgi?id=190340
2160
2161         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2162         * stress/function-cache-with-parameters-end-position.js: Added.
2163         (shouldBe):
2164         (shouldThrow):
2165         (i.anonymous):
2166         * stress/function-constructor-name.js: Added.
2167         (shouldBe):
2168         (GeneratorFunction):
2169         (AsyncFunction.async):
2170         (AsyncGeneratorFunction.async):
2171         (anonymous):
2172         (async.anonymous):
2173         * test262/expectations.yaml:
2174
2175 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2176
2177         All users of ArrayBuffer should agree on the same max size
2178         https://bugs.webkit.org/show_bug.cgi?id=191771
2179
2180         Reviewed by Mark Lam.
2181
2182         * stress/big-wasm-memory-grow-no-max.js: Added.
2183         (foo):
2184         (catch):
2185         * stress/big-wasm-memory-grow.js: Added.
2186         (foo):
2187         (catch):
2188         * stress/big-wasm-memory.js: Added.
2189         (foo):
2190         (catch):
2191
2192 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2193
2194         Unreviewed, make some more tests not crash my computer by only running on instance of it. These tests do not need to
2195         run for each JSC config since they're regression tests for runtime bugs.
2196
2197         * stress/json-stringified-overflow-2.js:
2198         * stress/json-stringified-overflow.js:
2199
2200 2018-11-16  Filip Pizlo  <fpizlo@apple.com>
2201
2202         Unreviewed, make some tests not crash my computer by only running on instance of it. These tests do not need to run for each JSC
2203         config since they're regression tests for runtime bugs.
2204
2205         * stress/large-unshift-splice.js:
2206         * stress/regress-185888.js:
2207
2208 2018-11-16  Saam Barati  <sbarati@apple.com>
2209
2210         KnownCellUse should also have SpecCellCheck as its type filter
2211         https://bugs.webkit.org/show_bug.cgi?id=191729
2212         <rdar://problem/45872852>
2213
2214         Reviewed by Filip Pizlo.
2215
2216         * stress/known-cell-type-check-should-allow-empty-value-to-flow-through.js: Added.
2217         (C):
2218
2219 2018-11-16  Tadeu Zagallo  <tzagallo@apple.com>
2220
2221         Fix assertion failure on BytecodeGenerator::recordOpcode
2222         https://bugs.webkit.org/show_bug.cgi?id=191724
2223         <rdar://problem/45724395>
2224
2225         Reviewed by Saam Barati.
2226
2227         * stress/regress-187373-2.js: Added.
2228         (foo):
2229
2230 2018-11-15  Mark Lam  <mark.lam@apple.com>
2231
2232         RegExpObject's collectMatches should not be using JSArray::push to fill in its match results.
2233         https://bugs.webkit.org/show_bug.cgi?id=191730
2234         <rdar://problem/46048517>
2235
2236         Reviewed by Saam Barati.
2237
2238         * stress/regress-187006.js: Removed.
2239           - this test is invalid because its sole purpose is to test for the non-spec
2240             compliant behavior that we just fixed.
2241
2242         * stress/regress-191730.js: Added.
2243
2244 2018-11-15  Mark Lam  <mark.lam@apple.com>
2245
2246         RegExp operations should not take fast patch if lastIndex is not numeric.
2247         https://bugs.webkit.org/show_bug.cgi?id=191731
2248         <rdar://problem/46017305>
2249
2250         Reviewed by Saam Barati.
2251
2252         * stress/regress-191731.js: Added.
2253
2254 2018-11-13  Saam Barati  <sbarati@apple.com>
2255
2256         TypeProfileLog::processLogEntries should stash away any pending exceptions and re-apply them to the VM
2257         https://bugs.webkit.org/show_bug.cgi?id=191600
2258
2259         Reviewed by Mark Lam.
2260
2261         * stress/type-profiler-log-should-defer-pending-exceptions.js: Added.
2262         (foo):
2263         (test):
2264         (bar):
2265
2266 2018-11-13  Ryan Haddad  <ryanhaddad@apple.com>
2267
2268         Unreviewed, rolling out r238132.
2269
2270         The test added with this change is timing out on Debug JSC
2271         bots.
2272
2273         Reverted changeset:
2274
2275         "[BigInt] JSBigInt::createWithLength should throw when length
2276         is greater than JSBigInt::maxLength"
2277         https://bugs.webkit.org/show_bug.cgi?id=190836
2278         https://trac.webkit.org/changeset/238132
2279
2280 2018-11-13  Mark Lam  <mark.lam@apple.com>
2281
2282         Add OOM detection to StringPrototype's substituteBackreferences().
2283         https://bugs.webkit.org/show_bug.cgi?id=191563
2284         <rdar://problem/45720428>
2285
2286         Reviewed by Saam Barati.
2287
2288         * stress/regress-191563.js: Added.
2289
2290 2018-11-13  Mark Lam  <mark.lam@apple.com>
2291
2292         LLIntSlowPath's llint_loop_osr and llint_replace should set the topCallFrame.
2293         https://bugs.webkit.org/show_bug.cgi?id=191579
2294         <rdar://problem/45942472>
2295
2296         Reviewed by Saam Barati.
2297
2298         * stress/regress-191579.js: Added.
2299
2300 2018-11-13  Caio Lima  <ticaiolima@gmail.com>
2301
2302         [BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength
2303         https://bugs.webkit.org/show_bug.cgi?id=190836
2304
2305         Reviewed by Saam Barati.
2306
2307         * stress/big-int-out-of-memory-tests.js: Added.
2308
2309 2018-11-08  Ross Kirsling  <ross.kirsling@sony.com>
2310
2311         U+180E is no longer a whitespace character
2312         https://bugs.webkit.org/show_bug.cgi?id=191415
2313
2314         Reviewed by Saam Barati.
2315
2316         * ChakraCore/test/es5/regexSpace.baseline:
2317         * ChakraCore/test/es6/unicode_whitespace.js:
2318         Update tests to latest version.
2319         (See https://github.com/Microsoft/ChakraCore/commit/7c097b698de1e400286f9b957597b2a81fc6f80b.)
2320
2321         * test262.yaml:
2322         * test262/config.yaml:
2323         * test262/expectations.yaml:
2324         Update expectations.
2325
2326 2018-11-07  Caio Lima  <ticaiolima@gmail.com>
2327
2328         [BigInt] Add support to BigInt into ValueAdd
2329         https://bugs.webkit.org/show_bug.cgi?id=186177
2330
2331         Reviewed by Keith Miller.
2332
2333         * stress/big-int-negate-jit.js:
2334         * stress/value-add-big-int-and-string.js: Added.
2335         * stress/value-add-big-int-prediction-propagation.js: Added.
2336         * stress/value-add-big-int-untyped.js: Added.
2337
2338 2018-11-07  Tadeu Zagallo  <tzagallo@apple.com>
2339
2340         REGRESSION(r237547): Test failures on 32-bit JSC since the JIT was disabled
2341         https://bugs.webkit.org/show_bug.cgi?id=191184
2342
2343         Reviewed by Saam Barati.
2344
2345         Most tests were failing due to timeouts, since they are too slow to
2346         run on CLoop. The exceptions are:
2347
2348         proxy-get-set-correct-receiver.js: Had to reduce the recursion depth not to overflow on CLoop
2349         dont-crash-on-stack-overflow-when-parsing-builtin.js and
2350         dont-crash-on-stack-overflow-when-parsing-default-constructor.js: had
2351         to change the stack size since CLoop requires it to be page aligned.
2352
2353         * microbenchmarks/array-push-1.js:
2354         * microbenchmarks/array-push-2.js:
2355         * microbenchmarks/elidable-new-object-dag.js:
2356         * microbenchmarks/elidable-new-object-roflcopter.js:
2357         * microbenchmarks/elidable-new-object-tree.js:
2358         * microbenchmarks/getter-richards.js:
2359         * microbenchmarks/sinkable-new-object-dag.js:
2360         * microbenchmarks/string-concat-long-convert.js:
2361         * microbenchmarks/typed-array-get-set-by-val-profiling.js:
2362         * slowMicrobenchmarks/array-push-3.js:
2363         * slowMicrobenchmarks/large-map-iteration-with-additions.js:
2364         * slowMicrobenchmarks/spread-small-array.js:
2365         * slowMicrobenchmarks/undefined-property-access.js:
2366         * stress/activation-sink-default-value-tdz-error.js:
2367         * stress/activation-sink-default-value.js:
2368         * stress/activation-sink-osrexit-default-value-tdz-error.js:
2369         * stress/activation-sink-osrexit-default-value.js:
2370         * stress/activation-sink-osrexit.js:
2371         * stress/activation-sink.js:
2372         * stress/allow-math-ic-b3-code-duplication.js:
2373         * stress/array-push-multiple-int32.js:
2374         * stress/arrowfunction-activation-sink-osrexit-default-value-tdz-error.js:
2375         * stress/arrowfunction-lexical-this-activation-sink-osrexit.js:
2376         * stress/arrowfunction-lexical-this-activation-sink.js:
2377         * stress/dont-crash-on-stack-overflow-when-parsing-builtin.js:
2378         * stress/dont-crash-on-stack-overflow-when-parsing-default-constructor.js:
2379         * stress/elide-new-object-dag-then-exit.js:
2380         * stress/materialize-regexp-cyclic.js:
2381         * stress/new-regex-inline.js:
2382         * stress/op_add.js:
2383         * stress/op_bitand.js:
2384         * stress/op_bitor.js:
2385         * stress/op_bitxor.js:
2386         * stress/op_div-ConstVar.js:
2387         * stress/op_div-VarConst.js:
2388         * stress/op_div-VarVar.js:
2389         * stress/op_lshift-ConstVar.js:
2390         * stress/op_lshift-VarConst.js:
2391         * stress/op_lshift-VarVar.js:
2392         * stress/op_mod-ConstVar.js:
2393         * stress/op_mod-VarConst.js:
2394         * stress/op_mod-VarVar.js:
2395         * stress/op_mul-ConstVar.js:
2396         * stress/op_mul-VarConst.js:
2397         * stress/op_mul-VarVar.js:
2398         * stress/op_rshift-ConstVar.js:
2399         * stress/op_rshift-VarConst.js:
2400         * stress/op_rshift-VarVar.js:
2401         * stress/op_sub-ConstVar.js:
2402         * stress/op_sub-VarConst.js:
2403         * stress/op_sub-VarVar.js:
2404         * stress/op_urshift-ConstVar.js:
2405         * stress/op_urshift-VarConst.js:
2406         * stress/op_urshift-VarVar.js:
2407         * stress/proxy-get-set-correct-receiver.js:
2408         * stress/regress-179562.js:
2409         * stress/rest-parameter-many-arguments.js:
2410         * stress/sampling-profiler-richards.js:
2411         * stress/splay-flash-access-1ms.js:
2412         * stress/tailCallForwardArguments.js:
2413         * stress/typed-array-get-by-val-profiling.js:
2414         * typeProfiler/getter-richards.js:
2415
2416 2018-11-06  Michael Saboff  <msaboff@apple.com>
2417
2418         Multiple stress/regexp-compile-oom.js tests are failing on High Sierra Debug and Release JSC testers.
2419         https://bugs.webkit.org/show_bug.cgi?id=191271
2420
2421         Reviewed by Saam Barati.
2422
2423         Added more test cases and made all test cases run with the same deeply recursive stack
2424         instead of finding that same point for each test case.
2425
2426         * stress/regexp-compile-oom.js:
2427         (prototype.runTest):
2428         (recurseAndTest):
2429         (testList.push.new.TestAndExpectedException):
2430
2431 2018-11-05  Michael Saboff  <msaboff@apple.com>
2432
2433         Unreviewed build fix for linux.
2434
2435         * stress/regexp-compile-oom.js: Disabled for non-darwin OSes.
2436
2437 2018-11-02  Michael Saboff  <msaboff@apple.com>
2438
2439         Rolling in r237753 with unreviewed build fix.
2440
2441         Fixed issues with DECLARE_THROW_SCOPE placement.
2442
2443 2018-11-02  Ryan Haddad  <ryanhaddad@apple.com>
2444
2445         Unreviewed, rolling out r237753.
2446
2447         Introduced JSC test failures
2448
2449         Reverted changeset:
2450
2451         "Running out of stack space not properly handled in
2452         RegExp::compile() and its callers"
2453         https://bugs.webkit.org/show_bug.cgi?id=191206
2454         https://trac.webkit.org/changeset/237753
2455
2456 2018-11-02  Michael Saboff  <msaboff@apple.com>
2457
2458         Running out of stack space not properly handled in RegExp::compile() and its callers
2459         https://bugs.webkit.org/show_bug.cgi?id=191206
2460
2461         Reviewed by Filip Pizlo.
2462
2463         New regression test.
2464
2465         * stress/regexp-compile-oom.js: Added.
2466         (recurseAndTest):
2467
2468 2018-11-01  Guillaume Emont  <guijemont@igalia.com>
2469
2470         Skip tests on arm/mips that time out now we're running on CLoop
2471
2472         Unreviewed gardening.
2473
2474         Since the JIT is temporarily disabled on 32-bit platforms, these tests
2475         time out on the bots and need to be disabled. There's more tests
2476         disabled on arm because the timeout is longer on the mips bot (as the
2477         device is slower to start with), so many of the tests don't time out
2478         there.
2479
2480         * microbenchmarks/getter-richards.js: disable on arm and mips.
2481         * stress/op_add.js: disable on arm.
2482         * stress/op_bitand.js: disable on arm.
2483         * stress/op_bitor.js: disable on arm.
2484         * stress/op_bitxor.js: disable on arm.
2485         * stress/op_lshift-ConstVar.js: disable on arm.
2486         * stress/op_lshift-VarConst.js: disable on arm.
2487         * stress/op_lshift-VarVar.js: disable on arm.
2488         * stress/op_mod-ConstVar.js: disable on arm.
2489         * stress/op_mod-VarConst.js: disable on arm.
2490         * stress/op_mod-VarVar.js: disable on arm.
2491         * stress/op_mul-ConstVar.js: disable on arm.
2492         * stress/op_mul-VarConst.js: disable on arm.
2493         * stress/op_mul-VarVar.js: disable on arm.
2494         * stress/op_rshift-ConstVar.js: disable on arm.
2495         * stress/op_rshift-VarConst.js: disable on arm.
2496         * stress/op_rshift-VarVar.js: disable on arm.
2497         * stress/op_sub-ConstVar.js: disable on arm.
2498         * stress/op_sub-VarConst.js: disable on arm.
2499         * stress/op_sub-VarVar.js: disable on arm.
2500         * stress/op_urshift-ConstVar.js: disable on arm.
2501         * stress/op_urshift-VarConst.js: disable on arm.
2502         * stress/op_urshift-VarVar.js: disable on arm.
2503         * stress/spread-forward-call-varargs-stack-overflow.js: disable on arm.
2504         * stress/value-to-boolean.js: disable on arm and mips.
2505
2506 2018-10-31  Tadeu Zagallo  <tzagallo@apple.com>
2507
2508         REGRESSION(r237547): Exception handlers should be aware of wide opcodes
2509         https://bugs.webkit.org/show_bug.cgi?id=191108
2510         <rdar://problem/45690700>
2511
2512         Reviewed by Saam Barati.
2513
2514         * stress/wide-op_catch.js: Added.
2515         (catch):
2516
2517 2018-10-29  Mark Lam  <mark.lam@apple.com>
2518
2519         Correctly detect string overflow when using the 'Function' constructor.
2520         https://bugs.webkit.org/show_bug.cgi?id=184883
2521         <rdar://problem/36320331>
2522
2523         Reviewed by Saam Barati.
2524
2525         I've verified that this passes on 32-bit as well.
2526
2527         * slowMicrobenchmarks/function-constructor-with-huge-strings.js: Added.
2528
2529 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2530
2531         Add support for GetStack FlushedDouble
2532         https://bugs.webkit.org/show_bug.cgi?id=191012
2533         <rdar://problem/45265141>
2534
2535         Reviewed by Saam Barati.
2536
2537         * stress/get-stack-double.js: Added.
2538         (bar):
2539         (noInline):
2540
2541 2018-10-29  Tadeu Zagallo  <tzagallo@apple.com>
2542
2543         New bytecode format for JSC
2544         https://bugs.webkit.org/show_bug.cgi?id=187373
2545         <rdar://problem/44186758>
2546
2547         Reviewed by Filip Pizlo.
2548
2549         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2550
2551         * stress/maximum-inline-capacity.js: Added.
2552         (test1):
2553         (test3.Foo):
2554         (test3):
2555
2556 2018-10-26  Commit Queue  <commit-queue@webkit.org>
2557
2558         Unreviewed, rolling out r237479 and r237484.
2559         https://bugs.webkit.org/show_bug.cgi?id=190978
2560
2561         broke JSC on iOS (Requested by tadeuzagallo on #webkit).
2562
2563         Reverted changesets:
2564
2565         "New bytecode format for JSC"
2566         https://bugs.webkit.org/show_bug.cgi?id=187373
2567         https://trac.webkit.org/changeset/237479
2568
2569         "Gardening: Build fix after r237479."
2570         https://bugs.webkit.org/show_bug.cgi?id=187373
2571         https://trac.webkit.org/changeset/237484
2572
2573 2018-10-26  Tadeu Zagallo  <tzagallo@apple.com>
2574
2575         New bytecode format for JSC
2576         https://bugs.webkit.org/show_bug.cgi?id=187373
2577         <rdar://problem/44186758>
2578
2579         Reviewed by Filip Pizlo.
2580
2581         Add tests to ensure that the inferred inline capacity for a narrow op_new_object will be capped at 255.
2582
2583         * stress/maximum-inline-capacity.js: Added.
2584         (test1):
2585         (test3.Foo):
2586         (test3):
2587
2588 2018-10-26  Mark Lam  <mark.lam@apple.com>
2589
2590         Fix missing edge cases with JSGlobalObjects having a bad time.
2591         https://bugs.webkit.org/show_bug.cgi?id=189028
2592         <rdar://problem/45204939>
2593
2594         Reviewed by Saam Barati.
2595
2596         * stress/regress-189028.js: Added.
2597
2598 2018-10-22  Mark Lam  <mark.lam@apple.com>
2599
2600         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2601         https://bugs.webkit.org/show_bug.cgi?id=190515
2602         <rdar://problem/45222379>
2603
2604         Rubber-stamped by Saam Barati.
2605
2606         Adding another test.
2607
2608         * stress/regress-190515-2.js: Added.
2609
2610 2018-10-22  Mark Lam  <mark.lam@apple.com>
2611
2612         DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
2613         https://bugs.webkit.org/show_bug.cgi?id=190515
2614         <rdar://problem/45222379>
2615
2616         Reviewed by Saam Barati.
2617
2618         * stress/regress-190515.js: Added.
2619
2620 2018-10-19  Commit Queue  <commit-queue@webkit.org>
2621
2622         Unreviewed, rolling out r237254.
2623         https://bugs.webkit.org/show_bug.cgi?id=190760
2624
2625         "It regresses JetStream 2 by 5% on some iOS devices"
2626         (Requested by saamyjoon on #webkit).
2627
2628         Reverted changeset:
2629
2630         "[JSC] JSC should have "parseFunction" to optimize Function
2631         constructor"
2632         https://bugs.webkit.org/show_bug.cgi?id=190340
2633         https://trac.webkit.org/changeset/237254
2634
2635 2018-10-19  Saam Barati  <sbarati@apple.com>
2636
2637         vmCall should check if we exit before emitting an OSR exit due to exceptions
2638         https://bugs.webkit.org/show_bug.cgi?id=190740
2639         <rdar://problem/45220139>
2640
2641         Reviewed by Mark Lam.
2642
2643         * stress/dont-emit-osr-exits-for-every-call-ftl.js: Added.
2644         (foo):
2645
2646 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
2647
2648         [ESNext][BigInt] Implement support for "^"
2649         https://bugs.webkit.org/show_bug.cgi?id=186235
2650
2651         Reviewed by Yusuke Suzuki.
2652
2653         * stress/big-int-bitwise-xor-general.js: Added.
2654         * stress/big-int-bitwise-xor-to-primitive-precedence.js: Added.
2655         * stress/big-int-bitwise-xor-type-error.js: Added.
2656         * stress/big-int-bitwise-xor-wrapped-value.js: Added.
2657
2658 2018-10-19  Caio Lima  <ticaiolima@gmail.com>
2659
2660         [BigInt] Add ValueSub into DFG
2661         https://bugs.webkit.org/show_bug.cgi?id=186176
2662
2663         Reviewed by Yusuke Suzuki.
2664
2665         * stress/big-int-subtraction-jit.js:
2666         * stress/value-sub-big-int-prediction-propagation.js: Added.
2667         * stress/value-sub-big-int-untyped.js: Added.
2668         * stress/value-sub-spec-none-case.js: Added.
2669
2670 2018-10-18  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2671
2672         [JSC] JSC should have "parseFunction" to optimize Function constructor
2673         https://bugs.webkit.org/show_bug.cgi?id=190340
2674
2675         Reviewed by Mark Lam.
2676
2677         This patch fixes the line number of syntax errors raised by the Function constructor,
2678         since we now parse the final code only once. And we no longer use block statement
2679         for Function constructor's parsing.
2680
2681         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2682         * stress/function-cache-with-parameters-end-position.js: Added.
2683         (shouldBe):
2684         (shouldThrow):
2685         (i.anonymous):
2686         * stress/function-constructor-name.js: Added.
2687         (shouldBe):
2688         (GeneratorFunction):
2689         (AsyncFunction.async):
2690         (AsyncGeneratorFunction.async):
2691         (anonymous):
2692         (async.anonymous):
2693         * test262/expectations.yaml:
2694
2695 2018-10-18  Commit Queue  <commit-queue@webkit.org>
2696
2697         Unreviewed, rolling out r237242.
2698         https://bugs.webkit.org/show_bug.cgi?id=190701
2699
2700         it breaks "stress/sampling-profiler-basic.js" (Requested by
2701         caiolima on #webkit).
2702
2703         Reverted changeset:
2704
2705         "[BigInt] Add ValueSub into DFG"
2706         https://bugs.webkit.org/show_bug.cgi?id=186176
2707         https://trac.webkit.org/changeset/237242
2708
2709 2018-10-17  Keith Miller  <keith_miller@apple.com>
2710
2711         AI does not clear Phantom allocation nodes.
2712         https://bugs.webkit.org/show_bug.cgi?id=190694
2713
2714         Reviewed by Saam Barati.
2715
2716         * stress/ftl-ai-filter-phantoms-should-clear-clear-value.js: Added.
2717         (Day):
2718         (DaysInYear):
2719         (TimeInYear):
2720         (TimeFromYear):
2721         (DayFromYear):
2722         (InLeapYear):
2723         (YearFromTime):
2724         (WeekDay):
2725         (DaylightSavingTA):
2726         (GetSecondSundayInMarch):
2727         (TimeInMonth):
2728
2729 2018-10-17  Caio Lima  <ticaiolima@gmail.com>
2730
2731         [BigInt] Add ValueSub into DFG
2732         https://bugs.webkit.org/show_bug.cgi?id=186176
2733
2734         Reviewed by Yusuke Suzuki.
2735
2736         * stress/big-int-subtraction-jit.js:
2737         * stress/value-sub-big-int-prediction-propagation.js: Added.
2738         * stress/value-sub-big-int-untyped.js: Added.
2739
2740 2018-10-16  Dominik Infuehr  <dinfuehr@igalia.com>
2741
2742         [JSC] stress/array-prototype-concat-of-long-spliced-arrays2.js times out on arm and mips
2743         https://bugs.webkit.org/show_bug.cgi?id=190611
2744
2745         Reviewed by Saam Barati.
2746
2747         Reduce array length just like in array-prototype-concat-of-long-spliced-arrays.js
2748         to improve test runtime. On ARM/MIPS this test even timed out when running all
2749         tests.
2750
2751         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
2752         (test):
2753
2754 2018-10-15  Guillaume Emont  <guijemont@igalia.com>
2755
2756         Skip stress/array-prototype-concat-of-long-spliced-arrays2.js on arm and mips/linux
2757
2758         Unreviewed gardening.
2759
2760         * stress/array-prototype-concat-of-long-spliced-arrays2.js:
2761
2762 2018-10-15  Saam barati  <sbarati@apple.com>
2763
2764         Emit fjcvtzs on ARM64E on Darwin
2765         https://bugs.webkit.org/show_bug.cgi?id=184023
2766
2767         Reviewed by Yusuke Suzuki and Filip Pizlo.
2768
2769         * stress/double-to-int32-NaN.js: Added.
2770         (assert):
2771         (foo):
2772
2773 2018-10-15  Saam Barati  <sbarati@apple.com>
2774
2775         JSArray::shiftCountWithArrayStorage is wrong when an array has holes
2776         https://bugs.webkit.org/show_bug.cgi?id=190262
2777         <rdar://problem/44986241>
2778
2779         Reviewed by Mark Lam.
2780
2781         * stress/array-prototype-concat-of-long-spliced-arrays.js:
2782         (test):
2783         * stress/slice-array-storage-with-holes.js: Added.
2784         (main):
2785
2786 2018-10-15  Commit Queue  <commit-queue@webkit.org>
2787
2788         Unreviewed, rolling out r237054.
2789         https://bugs.webkit.org/show_bug.cgi?id=190593
2790
2791         "this regressed JetStream 2 by 6% on iOS" (Requested by
2792         saamyjoon on #webkit).
2793
2794         Reverted changeset:
2795
2796         "[JSC] JSC should have "parseFunction" to optimize Function
2797         constructor"
2798         https://bugs.webkit.org/show_bug.cgi?id=190340
2799         https://trac.webkit.org/changeset/237054
2800
2801 2018-10-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2802
2803         [JSC] JSON.stringify can accept call-with-no-arguments
2804         https://bugs.webkit.org/show_bug.cgi?id=190343
2805
2806         Reviewed by Mark Lam.
2807
2808         * stress/json-stringify-no-arguments.js: Added.
2809         (shouldBe):
2810
2811 2018-10-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2812
2813         [JSC] JSC should have "parseFunction" to optimize Function constructor
2814         https://bugs.webkit.org/show_bug.cgi?id=190340
2815
2816         Reviewed by Mark Lam.
2817
2818         This patch fixes the line number of syntax errors raised by the Function constructor,
2819         since we now parse the final code only once. And we no longer use block statement
2820         for Function constructor's parsing.
2821
2822         * ChakraCore/test/Function/FuncBodyES5.baseline-jsc:
2823         * stress/function-cache-with-parameters-end-position.js: Added.
2824         (shouldBe):
2825         (shouldThrow):
2826         (i.anonymous):
2827         * stress/function-constructor-name.js: Added.
2828         (shouldBe):
2829         (GeneratorFunction):
2830         (AsyncFunction.async):
2831         (AsyncGeneratorFunction.async):
2832         (anonymous):
2833         (async.anonymous):
2834         * test262/expectations.yaml:
2835
2836 2018-10-10  Guillaume Emont  <guijemont@igalia.com>
2837
2838         Skip JSC test stress/sampling-profiler-richards.js on armv7/linux
2839         https://bugs.webkit.org/show_bug.cgi?id=190426
2840
2841         Unreviewed gardening.
2842
2843         * stress/sampling-profiler-richards.js:
2844
2845 2018-10-06  Caio Lima  <ticaiolima@gmail.com>
2846
2847         [ESNext][BigInt] Implement support for "|"
2848         https://bugs.webkit.org/show_bug.cgi?id=186229
2849
2850         Reviewed by Yusuke Suzuki.
2851
2852         * stress/big-int-bitwise-and-jit.js:
2853         * stress/big-int-bitwise-or-general.js: Added.
2854         * stress/big-int-bitwise-or-jit-untyped.js: Added.
2855         * stress/big-int-bitwise-or-jit.js: Added.
2856         * stress/big-int-bitwise-or-memory-stress.js: Added.
2857         * stress/big-int-bitwise-or-to-primitive-precedence.js: Added.
2858         * stress/big-int-bitwise-or-type-error.js: Added.
2859         * stress/big-int-bitwise-or-wrapped-value.js: Added.
2860
2861 2018-10-05  Dominik Infuehr  <dominik.infuehr@gmail.com>
2862
2863         Skip test on systems with limited memory
2864         https://bugs.webkit.org/show_bug.cgi?id=190310
2865
2866         Invoking runDefault adds test to runlist, skipping the test in the next
2867         line does not prevent the test from executing. Change order of lines such
2868         that runDefault is only executed if test is not executed.
2869
2870         Reviewed by Mark Lam.
2871
2872         * stress/regress-190187.js:
2873
2874 2018-10-03  Saam barati  <sbarati@apple.com>
2875
2876         lowXYZ in FTLLower should always filter the type of the incoming edge
2877         https://bugs.webkit.org/show_bug.cgi?id=189939
2878         <rdar://problem/44407030>
2879
2880         Reviewed by Michael Saboff.
2881
2882         * stress/ftl-should-always-filter-for-low-type-check-functions.js: Added.
2883         (foo):
2884         (test):
2885
2886 2018-10-03  Mark Lam  <mark.lam@apple.com>
2887
2888         Make string MaxLength for all WTF and JS strings consistently equal to INT_MAX.
2889         https://bugs.webkit.org/show_bug.cgi?id=190187
2890         <rdar://problem/42512909>
2891
2892         Reviewed by Michael Saboff.
2893
2894         * stress/regress-190187.js: Added.
2895
2896 2018-10-02  Caio Lima  <ticaiolima@gmail.com>
2897
2898         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
2899         https://bugs.webkit.org/show_bug.cgi?id=190033
2900
2901         Reviewed by Yusuke Suzuki.
2902
2903         * stress/big-int-to-string.js:
2904
2905 2018-10-01  Mark Lam  <mark.lam@apple.com>
2906
2907         Function.toString() should also copy the source code Functions that are class definitions.
2908         https://bugs.webkit.org/show_bug.cgi?id=190186
2909         <rdar://problem/44733360>
2910
2911         Reviewed by Saam Barati.
2912
2913         * stress/regress-190186.js: Added.
2914
2915 2018-10-01  Dominik Infuehr  <dinfuehr@igalia.com>
2916
2917         Split NaN-check into separate test
2918         https://bugs.webkit.org/show_bug.cgi?id=190010
2919
2920         Reviewed by Saam Barati.
2921
2922         DataView exposes NaN-representation, which is not necessarily the same on each
2923         architecture. Therefore move the check of the NaN-representation into its own
2924         file such that we can disable this test on MIPS where NaN-representation can be
2925         different on older CPUs.
2926
2927         * stress/dataview-jit-set-nan.js: Added.
2928         (assert):
2929         (test.storeLittleEndian):
2930         (test.storeBigEndian):
2931         (test.store):
2932         (test):
2933         * stress/dataview-jit-set.js:
2934         (test5):
2935
2936 2018-10-01  Commit Queue  <commit-queue@webkit.org>
2937
2938         Unreviewed, rolling out r236647.
2939         https://bugs.webkit.org/show_bug.cgi?id=190124
2940
2941         Breaking test stress/big-int-to-string.js (Requested by
2942         caiolima_ on #webkit).
2943
2944         Reverted changeset:
2945
2946         "[BigInt] BigInt.proptotype.toString is broken when radix is
2947         power of 2"
2948         https://bugs.webkit.org/show_bug.cgi?id=190033
2949         https://trac.webkit.org/changeset/236647
2950
2951 2018-09-30  Caio Lima  <ticaiolima@gmail.com>
2952
2953         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
2954         https://bugs.webkit.org/show_bug.cgi?id=190033
2955
2956         Reviewed by Yusuke Suzuki.
2957
2958         * stress/big-int-to-string.js:
2959
2960 2018-09-28  Caio Lima  <ticaiolima@gmail.com>
2961
2962         [ESNext][BigInt] Implement support for "&"
2963         https://bugs.webkit.org/show_bug.cgi?id=186228
2964
2965         Reviewed by Yusuke Suzuki.
2966
2967         * stress/big-int-bitwise-and-general.js: Added.
2968         (assert):
2969         (assert.sameValue):
2970         * stress/big-int-bitwise-and-jit.js: Added.
2971         (let.assert.sameValue):
2972         (bigIntBitAnd):
2973         * stress/big-int-bitwise-and-memory-stress.js: Added.
2974         (assert):
2975         * stress/big-int-bitwise-and-to-primitive-precedence.js: Added.
2976         (assert.sameValue):
2977         (let.o.Symbol.toPrimitive):
2978         (catch):
2979         * stress/big-int-bitwise-and-type-error.js: Added.
2980         (assert):
2981         (assertThrowTypeError):
2982         (let.o.valueOf):
2983         (o.valueOf):
2984         (o.toString):
2985         (o.Symbol.toPrimitive):
2986         * stress/big-int-bitwise-and-wrapped-value.js: Added.
2987         (assert.sameValue):
2988         (testBitAnd):
2989         (let.o.Symbol.toPrimitive):
2990         (o.valueOf):
2991         (o.toString):
2992
2993 2018-09-28  Ross Kirsling  <ross.kirsling@sony.com>
2994
2995         JSC test stress/jsc-read.js doesn't support CRLF
2996         https://bugs.webkit.org/show_bug.cgi?id=190063
2997
2998         Reviewed by Yusuke Suzuki.
2999
3000         In order to run this test via Windows command prompt, we can't assume that the final newline will be LF.
3001
3002         * stress/jsc-read.js:
3003         (test):
3004
3005 2018-09-27  Saam barati  <sbarati@apple.com>
3006
3007         Verify the contents of AssemblerBuffer on arm64e
3008         https://bugs.webkit.org/show_bug.cgi?id=190057
3009         <rdar://problem/38916630>
3010
3011         Reviewed by Mark Lam.
3012
3013         * stress/regress-189132.js:
3014
3015 2018-09-27  Dominik Infuehr  <dinfuehr@igalia.com>
3016
3017         Disable test without LLInt on ARMv7
3018         https://bugs.webkit.org/show_bug.cgi?id=190037
3019
3020         Reviewed by Mark Lam.
3021
3022         Test runs out of executable memory on ARMv7, do not run
3023         this test without LLInt enabled.
3024
3025         * stress/regress-169445.js:
3026
3027 2018-09-26  Keith Miller  <keith_miller@apple.com>
3028
3029         We should zero unused property storage when rebalancing array storage.
3030         https://bugs.webkit.org/show_bug.cgi?id=188151
3031
3032         Reviewed by Michael Saboff.
3033
3034         * stress/splice-should-zero-property-storage-when-rebalancing.js: Added.
3035
3036 2018-09-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3037
3038         [JSC] Optimize Array#lastIndexOf
3039         https://bugs.webkit.org/show_bug.cgi?id=189780
3040
3041         Reviewed by Saam Barati.
3042
3043         * stress/array-lastindexof-array-prototype-trap.js: Added.
3044         (shouldBe):
3045         (AncestorArray.prototype.get 2):
3046         (AncestorArray):
3047         * stress/array-lastindexof-have-a-bad-time-c-runtime.js: Added.
3048         (shouldBe):
3049         * stress/array-lastindexof-hole-nan.js: Added.
3050         (shouldBe):
3051         (throw.new.Error):
3052         * stress/array-lastindexof-infinity.js: Added.
3053         (shouldBe):
3054         (throw.new.Error):
3055         * stress/array-lastindexof-negative-zero.js: Added.
3056         (shouldBe):
3057         (throw.new.Error):
3058         * stress/array-lastindexof-own-getter.js: Added.
3059         (shouldBe):
3060         (throw.new.Error.get array):
3061         (get array):
3062         * stress/array-lastindexof-prototype-trap.js: Added.
3063         (shouldBe):
3064         (DerivedArray.prototype.get 2):
3065         (DerivedArray):
3066
3067 2018-09-25  Saam Barati  <sbarati@apple.com>
3068
3069         Calls to baselineCodeBlockForOriginAndBaselineCodeBlock in operationMaterializeObjectInOSR should actually pass in the baseline CodeBlock
3070         https://bugs.webkit.org/show_bug.cgi?id=189940
3071         <rdar://problem/43640987>
3072
3073         Reviewed by Mark Lam.
3074
3075         * stress/use-baseline-codeblock-materialize-osr-exit.js: Added.
3076
3077 2018-09-24  Saam Barati  <sbarati@apple.com>
3078
3079         Array.prototype.indexOf fast path needs to ensure the length is still valid after performing effects
3080         https://bugs.webkit.org/show_bug.cgi?id=189922
3081         <rdar://problem/44651275>
3082
3083         Reviewed by Mark Lam.
3084
3085         * stress/array-indexof-fast-path-effects.js: Added.
3086         * stress/array-indexof-cached-length.js: Added.
3087
3088 2018-09-24  Saam barati  <sbarati@apple.com>
3089
3090         ArgumentsEliminationPhase should snip basic blocks after proven OSR exits
3091         https://bugs.webkit.org/show_bug.cgi?id=189682
3092         <rdar://problem/43557315>
3093
3094         Reviewed by Mark Lam.
3095
3096         * stress/arguments-elimination-will-generate-edge-without-result.js: Added.
3097         (foo):
3098
3099 2018-09-22  Saam barati  <sbarati@apple.com>
3100
3101         The sampling should not use Strong<CodeBlock> in its machineLocation field
3102         https://bugs.webkit.org/show_bug.cgi?id=189319
3103
3104         Reviewed by Filip Pizlo.
3105
3106         * stress/sampling-profiler-richards.js: Added.
3107
3108 2018-09-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3109
3110         [JSC] Optimize Array#indexOf in C++ runtime
3111         https://bugs.webkit.org/show_bug.cgi?id=189507
3112
3113         Reviewed by Saam Barati.
3114
3115         * stress/array-indexof-array-prototype-trap.js: Added.
3116         (shouldBe):
3117         (AncestorArray.prototype.get 2):
3118         (AncestorArray):
3119         * stress/array-indexof-have-a-bad-time-c-runtime.js: Added.
3120         (shouldBe):
3121         * stress/array-indexof-hole-nan.js: Added.
3122         (shouldBe):
3123         (throw.new.Error):
3124         * stress/array-indexof-infinity.js: Added.
3125         (shouldBe):
3126         (throw.new.Error):
3127         * stress/array-indexof-negative-zero.js: Added.
3128         (shouldBe):
3129         (throw.new.Error):
3130         * stress/array-indexof-own-getter.js: Added.
3131         (shouldBe):
3132         (throw.new.Error.get array):
3133         (get array):
3134         * stress/array-indexof-prototype-trap.js: Added.
3135         (shouldBe):
3136         (DerivedArray.prototype.get 2):
3137         (DerivedArray):
3138
3139 2018-09-19  Saam barati  <sbarati@apple.com>
3140
3141         AI rule for MultiPutByOffset executes its effects in the wrong order
3142         https://bugs.webkit.org/show_bug.cgi?id=189757
3143         <rdar://problem/43535257>
3144
3145         Reviewed by Michael Saboff.
3146
3147         * stress/multi-put-by-offset-must-filter-value-before-filtering-base.js: Added.
3148         (foo):
3149         (Foo):
3150         (g):
3151
3152 2018-09-17  Mark Lam  <mark.lam@apple.com>
3153
3154         Ensure that ForInContexts are invalidated if their loop local is over-written.
3155         https://bugs.webkit.org/show_bug.cgi?id=189571
3156         <rdar://problem/44402277>
3157
3158         Reviewed by Saam Barati.
3159
3160         * stress/regress-189571.js: Added.
3161
3162 2018-09-17  Saam barati  <sbarati@apple.com>
3163
3164         We must convert ProfileType to CheckStructureOrEmpty instead of CheckStructure
3165         https://bugs.webkit.org/show_bug.cgi?id=189676
3166         <rdar://problem/39682897>
3167
3168         Reviewed by Michael Saboff.
3169
3170         * typeProfiler/check-structure-or-empty-in-fixup.js: Added.
3171         (A):
3172         (K):
3173         (i.catch):
3174
3175 2018-09-14  Saam barati  <sbarati@apple.com>
3176
3177         Don't dump OSRAvailabilityData in Graph::dump because a stale Availability may point to a Node that is already freed
3178         https://bugs.webkit.org/show_bug.cgi?id=189628
3179         <rdar://problem/39481690>
3180
3181         Reviewed by Mark Lam.
3182
3183         * stress/verbose-failure-dont-graph-dump-availability-already-freed.js: Added.
3184         (foo):
3185
3186 2018-09-11  Mark Lam  <mark.lam@apple.com>
3187
3188         Test for array initialization in arrayProtoFuncSplice.
3189         https://bugs.webkit.org/show_bug.cgi?id=170253
3190         <rdar://problem/31328773>
3191
3192         Rubber-stamped by Saam Barati.
3193
3194         * stress/regress-170253.js: Added.
3195
3196 2018-09-11  Mark Lam  <mark.lam@apple.com>
3197
3198         Test for IntlObject initialization.
3199         https://bugs.webkit.org/show_bug.cgi?id=170251
3200         <rdar://problem/31328419>
3201
3202         Rubber-stamped by Saam Barati.
3203
3204         * stress/regress-170251.js: Added.
3205
3206 2018-09-11  Mark Lam  <mark.lam@apple.com>
3207
3208         Test for array memcpy'ing when JSGlobalObject::haveABadTime.
3209         https://bugs.webkit.org/show_bug.cgi?id=169889
3210         <rdar://problem/31155607>
3211
3212         Reviewed by Saam Barati.
3213
3214         * stress/regress-169889-array-concat.js: Added.
3215         * stress/regress-169889-array-concat1.js: Added.
3216         * stress/regress-169889-array-slice.js: Added.
3217
3218 2018-09-11  Mark Lam  <mark.lam@apple.com>
3219
3220         Test for incorrect check in emitPutDerivedConstructorToArrowFunctionContextScope.
3221         https://bugs.webkit.org/show_bug.cgi?id=169445
3222         <rdar://problem/30957435>
3223
3224         Reviewed by Saam Barati.
3225
3226         * stress/regress-169445.js: Added.
3227         (let.gun.eval.A):
3228         (let.gun.eval.B.C):
3229         (let.gun.eval.B.C.prototype.trigger):
3230         (let.gun.eval.B.C.prototype.triggerWithRestParameters):
3231         (let.gun.eval.B):
3232         (let.gun.eval):
3233
3234 == Rolled over to ChangeLog-2018-09-11 ==